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SAFETY SUMMARY 


What happened 


On 4 November 2010, while climbing through 7,000 ft after departing from Changi 
Airport, Singapore, the Airbus A380 registered VH-OQA, sustained an uncontained 
engine rotor failure (UERF) of the No. 2 engine, a Rolls-Royce Trent 900. Debris 
from the UERF impacted the aircraft, resulting in significant structural and systems 
damage. 


The flight crew managed the situation and, after completing the required actions for 
the multitude of system failures, safely returned to and landed at Changi Airport. 


What the ATSB found 


The Australian Transport Safety Bureau (ATSB) found that a number of oil feed 
stub pipes within the High Pressure / Intermediate pressure (HP/IP) hub assembly 
were manufactured with thin wall sections that did not conform to the design 
specifications. These non-conforming pipes were fitted to Trent 900 engines, 
including the No. 2 engine on VH-OQA. The thin wall section significantly reduced 
the life of the oil feed stub pipe on the No. 2 engine so that a fatigue crack 
developed, ultimately releasing oil during the flight that resulted in an internal oil 
fire. That fire led to the separation of the intermediate pressure turbine disc from the 
drive shaft. The disc accelerated and burst with sufficient force that the engine 
structure could not contain it, releasing high-energy debris. 


What has been done to fix it 


Following the UERF, the ATSB, Rolls-Royce plc, regulatory authorities and 
operators of A380 aircraft with Trent 900 engines took a range of steps to ensure 
that HP/IP hub assemblies with non-conforming oil feed stub pipes were identified 
and either removed from service, or managed to ensure their safe continued 
operation. Rolls-Royce also released an engine control software update that 
included an IP turbine overspeed protection system (IPTOS) that is designed to shut 
the engine down before the turbine disc can overspeed, in the unlikely event that a 
similar failure occurs. 


Rolls-Royce has also made a range of changes to their quality management system 
to improve the way in which they manage non-conforming parts, both during the 
manufacturing process and when it has been identified that parts had unknowingly 
been released into service with non-conformances. 


Safety message 


The ATSB identified a number of issues during the manufacture of Trent 900 HP/IP 
hub assemblies that resulted in their release into service with non-conforming oil 
feed stub pipes. Those issues highlighted the importance of providing clear 
procedures during the manufacturing process and of personnel complying with 
those procedures. Even though modern civil turbine engines are very reliable, and 
UERFs are very rare events, the resulting damage from such a failure can be 
significant and the potential effects catastrophic. This accident represents an 
opportunity for the regulatory authorities to incorporate any lessons learned into 
their certification advisory material to enhance the safety of future aircraft designs. 
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THE AUSTRALIAN TRANSPORT SAFETY BUREAU 


The Australian Transport Safety Bureau (ATSB) is an independent Commonwealth 
Government statutory agency. The Bureau is governed by a Commission and is 
entirely separate from transport regulators, policy makers and service providers. 
The ATSB's function is to improve safety and public confidence in the aviation, 
marine and rail modes of transport through excellence in: independent investigation 
of transport accidents and other safety occurrences; safety data recording, analysis 
and research; fostering safety awareness, knowledge and action. 


The ATSB is responsible for investigating accidents and other transport safety 
matters involving civil aviation, marine and rail operations in Australia that fall 
within Commonwealth jurisdiction, as well as participating in overseas 
investigations involving Australian registered aircraft and ships. A primary concern 
is the safety of commercial transport, with particular regard to fare-paying 
passenger operations. 


The ATSB performs its functions in accordance with the provisions of the 
Transport Safety Investigation Act 2003 and Regulations and, where applicable, 
relevant international agreements. 


Purpose of safety investigations 


The object of a safety investigation is to identify and reduce safety-related risk. 
ATSB investigations determine and communicate the safety factors related to the 
transport safety matter being investigated. The terms the ATSB uses to refer to key 
safety and risk concepts are set out in the next section: Terminology Used in this 
Report. 


It is not a function of the ATSB to apportion blame or determine liability. At the 
same time, an investigation report must include factual material of sufficient weight 
to support the analysis and findings. At all times the ATSB endeavours to balance 
the use of material that could imply adverse comment with the need to properly 
explain what happened, and why, in a fair and unbiased manner. 


Developing safety action 


Central to the ATSB’s investigation of transport safety matters is the early 
identification of safety issues in the transport environment. The ATSB prefers to 
encourage the relevant organisation(s) to initiate proactive safety action that 
addresses safety issues. Nevertheless, the ATSB may use its power to make a 
formal safety recommendation either during or at the end of an investigation, 
depending on the level of risk associated with a safety issue and the extent of 
corrective action undertaken by the relevant organisation. 


When safety recommendations are issued, they focus on clearly describing the 
safety issue of concern, rather than providing instructions or opinions on a preferred 
method of corrective action. As with equivalent overseas organisations, the ATSB 
has no power to enforce the implementation of its recommendations. It is a matter 
for the body to which an ATSB recommendation is directed to assess the costs and 
benefits of any particular means of addressing a safety issue. 


When the ATSB issues a safety recommendation to a person, organisation or 
agency, they must provide a written response within 90 days. That response must 
indicate whether they accept the recommendation, any reasons for not accepting 
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part or all of the recommendation, and details of any proposed safety action to give 
effect to the recommendation. 


The ATSB can also issue safety advisory notices suggesting that an organisation or 
an industry sector consider a safety issue and take action where it believes 
appropriate, or to raise general awareness of important safety information in the 
industry. There is no requirement for a formal response to an advisory notice, 
although the ATSB will publish any response it receives. 


Report structure 


Previous ATSB aviation occurrence investigation reports have closely followed the 
suggested report structure in the appendix of International Civil Aviation 
Organisation Annex 13. That suggested structure splits the report into four sections: 
factual information, analysis, conclusions and safety recommendations. 


Annex 13 also states that the Final Report *may be prepared in the format 
considered to be the most appropriate in the circumstances' (chapter 6). In this 
context, the factual information is divided into four main parts: 


* Part 1—Occurrence flight; 

* Part 2—Engine; 

* Part 3—Engine failure sequence; 
e Part 4—Manufacturing. 


The ATSB analysis of this information is included throughout the report, either as 
*observations' in grey filled observation boxes where appropriate, or as part of the 
analysis in Part 5 of the report. *Observations' are also used to explain pertinent 
information to assist the reader in their understanding of the factual information 
presented. 
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TERMINOLOGY USED IN THIS REPORT 


Occurrence: accident or incident. 


Safety factor: an event or condition that increases safety risk. In other words, it is 
something that, if it occurred in the future, would increase the likelihood of an 
occurrence, and/or the severity of the adverse consequences associated with an 
occurrence. Safety factors include the occurrence events (e.g. engine failure, signal 
passed at danger, grounding), individual actions (e.g. errors and violations), local 
conditions, current risk controls and organisational influences. 


Contributing safety factor: a safety factor that, had it not occurred or existed at the 
time of an occurrence, then either: (a) the occurrence would probably not have occurred; 
or (b) the adverse consequences associated with the occurrence would probably not have 
occurred or have been as serious, or (c) another contributing safety factor would 
probably not have occurred or existed. 


Other safety factor: a safety factor identified during an occurrence investigation which 
did not meet the definition of contributing safety factor but was still considered to be 
important to communicate in an investigation report in the interests of improved 
transport safety. 


Other key finding: any finding, other than that associated with safety factors, 
considered important to include in an investigation report. Such findings may resolve 
ambiguity or controversy, describe possible scenarios or safety factors when firm safety 
factor findings were not able to be made, or note events or conditions which 'saved the 
day' or played an important role in reducing the risk associated with an occurrence. 


Safety issue: a safety factor that (a) can reasonably be regarded as having the potential 
to adversely affect the safety of future operations, and (b) is a characteristic of an 
organisation or a system, rather than a characteristic of a specific individual, or 
characteristic of an operational environment at a specific point in time. 


Safety action: the steps taken or proposed to be taken by a person, organisation or agency in 
response to a safety issue. 


EXECUTIVE SUMMARY 


Key investigation outcomes 


On 4 November 2010, an uncontained failure of the intermediate pressure turbine 
disc occurred in the No. 2 engine, of an Airbus A380 aircraft, registered VH-OQA, 
overhead Batam Island, Indonesia. The failure was the result of an internal oil fire 
within the Rolls-Royce Trent 900 engine that led to the separation of the 
intermediate pressure turbine disc from its shaft. The fire started when oil was 
released from a crack in the pipe that supplied oil to the high pressure/intermediate 
pressure (HP/IP) turbine bearing chamber. The Australian Transport Safety Bureau 
(ATSB) found that the oil pipe cracked because it had a thin wall from a misaligned 
counter bore that did not conform to the design specification. 


Immediately after the accident, and then progressively during the preliminary stages 
of the investigation, the ATSB interacted with a number of organisations who 
advised of various proactive safety actions taken to prevent a recurrence. The ATSB 
monitored those proactive safety actions to ensure that the safety issues indicated by 
the accident were being addressed. In particular, the ATSB identified a safety issue 
that affected all Trent 900 series engines in the world-wide fleet. On 1 December 
2010, the ATSB issued a safety recommendation to Rolls-Royce plc to address that 
issue and published a preliminary investigation report that set out the context for 
that recommendation. 


As a result of its continuing investigation, the ATSB identified a number of factors 
that resulted in the manufacture and release into service of non-conforming oil feed 
pipes. Those factors occurred over a number of years, and highlighted the 
importance of manufacturers providing clear procedures and of personnel 
complying with those procedures. Throughout the investigation, the ATSB 
continued to work with the aircraft and engine manufacturers to ensure that any 
identified safety issues were addressed and actions taken to prevent a similar 
occurrence. 


The ATSB also identified that this accident represented an opportunity to extend the 
knowledge base relating to the hazards from uncontained engine rotor failure 
(UERF) events and to incorporate that knowledge into airframe certification 
advisory material in order to further minimise the effects of a UERF on future 
aircraft designs. As a result, the ATSB issued recommendations to the European 
Aviation Safety Agency and the United States Federal Aviation Administration, 
recommending that both organisations review the damage sustained by the aircraft 
in order to incorporate any lessons learned from this accident into the certification 
compliance advisory material. 


The occurrence flight 


The aircraft departed Changi Airport, Singapore on a scheduled passenger flight to 
Sydney, Australia. About 4 minutes after take-off, while the aircraft was climbing 
through about 7,000 ft, the flight crew heard two ‘bangs’ and a number of warnings 
and cautions were displayed on the electronic centralised aircraft monitor (ECAM ). 


Initially, the ECAM displayed a message warning of turbine overheat in the No. 2 
(inner left) engine. That warning was followed soon after by a multitude of other 
messages relating to a number of aircraft system problems. After assessing the 
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situation and completing a number of initial response actions, the flight crew were 
cleared by ATC to conduct a holding pattern to the east of Changi Airport. While in 
the holding pattern, the flight crew worked through the procedures relevant to the 
messages displayed by the ECAM. During that time the flight crew were assisted by 
additional crew that were on the flight deck as part of a check and training exercise. 


The aircraft sustained significant impact damage to the left wing by fragments and 
debris from the UERF, and fuel was leaking from the damaged left wing fuel tanks. 
However, after completing the ECAM procedures and performing some aircraft 
controllability checks, the flight crew landed the aircraft safely at Changi Airport. 


After landing, fuel continued to leak from the left wing tank. The risk associated 
with this leak was minimised by the airport emergency services by applying large 
quantities of water and foam below the left wing while the aircraft's engines were 
shut down. 


The No. 1 (outer left) engine continued to run following the normal shut-down 
procedure. Because of the still-running engine and leaking fuel on the left side, the 
passengers were disembarked via a set of stairs on the right side of the aircraft. The 
disembarkation was completed about 2 hours after the aircraft landed. Numerous 
unsuccessful attempts to shut down the No. 1 engine were made by the flight crew, 
maintenance engineers and the airport emergency services using different methods . 
The engine was finally shut down about 3 hours after the aircraft landed by 
pumping firefighting foam directly into the engine inlet. 


The ATSB found that the flight crew and cabin crew managed the event as a 
competent team in accordance with standard operating procedures and practices. 


Damage to the aircraft 


The aircraft sustained damage from a large number of disc fragments and associated 
debris. The damage affected the aircraft's structure and a number of its systems. 


The ATSB found that a large fragment of the turbine disc penetrated the left wing 
leading edge before passing through the front spar into the left inner fuel tank and 
exiting through the top skin of the wing. The fragment initiated a short duration low 
intensity flash fire inside the wing fuel tank. The ATSB determined that the 
conditions within the tank were not suitable to sustain the fire. 


Another fire was found to have occurred within the lower cowl of the No. 2 engine 
as a result of oil leaking into the cowl from the damaged oil supply pipe. The fire 
lasted for a short time and self-extinguished. 


The large fragment of the turbine disc also severed wiring looms inside the wing 
leading edge that connected to a number of systems. 


A separate disc fragment severed a wiring loom located between the lower centre 
fuselage and body fairing. That loom included wires that provided redundancy 
(back —up) for some of the systems already affected by the severing of wires in the 
wing leading edge. This additional damage rendered some of those systems 
inoperative. 


The aircraft's hydraulic and electrical distribution systems were also damaged, 
which affected other systems not directly impacted by the engine failure. 
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Engine failure sequence 


The crack in the oil feed pipe was a result of fatigue and had developed over some 
time. On the occurrence flight, the crack grew to a size that allowed oil in the pipe 
to be released into the buffer space between the bearing chamber and the hot air 
surrounding the IP turbine disc. The oil was released as an atomised spray and the 
air within the buffer space was sufficiently hot for the oil to auto-ignite. 


The resulting fire propagated through the bearing chamber buffer space and 
eventually impinged upon the IP turbine disc drive arm, resulting in the separation 
of the disc from the drive shaft. Following the separation of the disc, the engine 
behaved in a manner different to that anticipated by the manufacturer during engine 
design and testing. The disc accelerated to a speed in excess of its structural 
capacity and burst into three main segments, with sufficient force to puncture the 
engine case at high velocity. 


The ATSB found that the crack formed in a section of the HP/IP bearing chamber 
oil feed pipe, known as the oil feed stub pipe. That section of pipe contained an area 
of reduced wall thickness, which resulted from the misalignment of a counter bore 
machined into the end of the stub pipe during manufacture. A detailed engineering 
analysis found that the stresses generated in the oil feed stub pipe were sensitive to 
the wall thickness, which in turn had a significant effect on the pipe's fatigue life. 
The ATSB found that the alignment of the counter bore did not conform to the 
design specification. 


Following the event, the engine manufacturer determined that a significant number 
of HP/IP bearing support assemblies were produced with oil feed stub pipes that did 
not conform to the design specification. Those assemblies had been released into 
service and were fitted to a number of engines in the Trent 900 fleet. As a result, on 
1 December 2010 the ATSB issued a safety recommendation for Rolls-Royce plc to 
address this issue. Rolls-Royce took action to fully address the recommendation. 


Manufacture of non-conforming oil feed stub pipes 


The ATSB found that the misalignment of the counter bores was the result of 
movement within the HP/IP bearing support assembly during manufacture and that 
a number of opportunities existed during the design and manufacture processes 
where the misaligned oil feed stub pipe counter bores could have been identified 
and managed. Those opportunities were missed for a number of reasons, but 
generally because of ambiguities within the manufacturer's procedures and the non- 
adherence by a number of the manufacturing staff to those procedures. 


During the development of the Trent 900 engine, a manufacturing datum (or 
reference) was introduced to specify the location of the oil feed stub pipe counter 
bore. That manufacturing datum was intended to replace the datum from the design 
specification, as the design datum became inaccessible when the oil feed stub pipe 
was fitted to the HP/IP bearing support assembly. The manner in which the 
manufacturing datum was represented on the manufacturing drawings resulted in its 
position not being constrained to the location of the oil feed stub pipe. This had 
several flow-on effects that made it more difficult to detect the misaligned counter 
bores and the effect that it had on the wall thickness of the oil feed stub pipe. 


During an inspection of the first HP/IP bearing support assembly manufactured in 
2005, the manufacturing drawings were referenced rather than the design definition 
drawings. The manufacturer's procedures for the inspection contained ambiguity 
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that may have influenced the inspector's decision to use the manufacturing 
drawings. As a result, the lack of constraint on the manufacturing datum was not 
identified and the HP/IP bearing support assembly entered into production without 
having properly shown compliance with the design specification. 


The HP/IP bearing support assembly was released into service without the non- 
conforming oil feed stub pipe being reported in accordance with the manufacturer's 
non-conformance management procedures. Due to an absence of some of the 
inspection records for the HP/IP bearing support assembly in the No. 2 engine from 
VH-OQA, the ATSB could not determine exactly why the non-conformance was 
not reported. 


Similarly, records for HP/IP bearing support assemblies from other Trent 900 
engines produced around that time had not been retained by the manufacturer. The 
ATSB therefore could not determine how they were released without the non- 
conformances being reported. However, the ATSB identified that a culture existed 
within the manufacturer's facility that produced the HP/IP bearing support 
assemblies where it was considered acceptable to not report what were considered 
to be *minor' non-conformances. 


In 2007, the manufacturer identified that a number of components had left the 
facility with unreported non-conformances and carried out a major quality 
investigation. After that investigation, a number of newly manufactured non- 
conforming oil feed stub pipe counter bores were identified and reported by 
manufacturing personnel. However, due to a difference between the reference 
datum used by the manufacturer's automated measuring machines and the datum 
specified on the drawings, the engineers assessing the effect of the non- 
conformance misunderstood how the non-conformance would affect the wall 
thickness of the oil feed stub pipe. 


In March 2008, a manufacturing engineer identified that oil feed stub pipe counter 
bores were misaligned in previously manufactured and released HP/IP bearing 
support assemblies. The engineer was the first to identify the effect that 
misalignment of the counter bore had on the wall thickness of the pipe. 


In an attempt to estimate the potential size of the misalignment within all of the 
previously-manufactured HP/IP bearing support assemblies, the engineer measured 
all nine of the HP/IP bearing support assemblies available at the facility at that time 
and performed a statistical analysis on those measurements. Based on that analysis, 
the engineer applied for an engineering assessment to establish the suitability of 
those non-conforming oil feed stub pipes for continued use. This application was 
submitted through the manufacturer's non-conformance management system. There 
was a level of uncertainty inherent within the statistical analysis method used in that 
assessment. The uncertainty was not effectively communicated to, or understood 
by, the engineers that assessed the application and 'retrospective' approval was 
given to permit those non-conforming HP/IP bearing support assemblies to remain 
in service. 


The manufacturer's procedure for such retrospective approvals (known as 
retrospective concessions) required that the application be approved by both the 
Chief Engineer and the Business Quality Director. For a reason that could not be 
positively identified by the ATSB, neither the Chief Engineer's nor the Business 
Quality Director's approval for the oil feed stub pipe counter bore retrospective 
concession were sought. This omission denied the Chief Engineer the opportunity 
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to assess what risk the non-conformance may have had upon the fleet of in-service 
Trent 900 engines. 


The ATSB found no other opportunities where the potential for cracking in the oil 
feed stub pipes could have been identified and the non-conformances managed prior 
to the UERF on VH-OQA. 


Minimisation of hazards resulting from an 
uncontained engine rotor failure 


The United States Federal Aviation Administration (FAA) and the European 
Aviation Safety Agency (EASA) had promulgated advisory material for the 
minimisation of hazards resulting from uncontained engine rotor failures (UERF). 
That material was designed to assist manufacturers in meeting the requirement of 
the relevant certification standard. The advisory material was based on service 
experience, including accident investigation findings. The damage to VH-OQA 
exceeded the parameters of the model provided in the advisory material for 
predicting the likely damage from a UERF. Information from the accident 
represents an opportunity to incorporate any lessons learned from this accident in 
the advisory material. The ATSB therefore issued recommendations to EASA and 
FAA to address this opportunity. 


Investigation process 


The ATSB's investigation covered a range of complex issues to determine the 
factors involved in the occurrence. This could not have been achieved without the 
expertise and cooperation of: 


* Air Accident Investigation Bureau of Singapore 

e Airbus SAS 

e Civil Aviation Safety Authority of Australia 

e European Aviation Safety Agency 

e French Bureau d'Enquétes et d' Analyses pour la sécurité de l'aviation 
civile 

e Indonesian National Transportation Safety Committee 

* Qantas Airways Ltd 

e Rolls-Royce plc 

* United Kingdom Air Accident Investigation Branch 


* United Kingdom Civil Aviation Authority. 


The ATSB acknowledges and is grateful for the cooperation received from those 
organisations. 
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Federal Aviation Administration (United States) 
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First article inspection 

First article inspection report 

Flight Crew Emergency Procedures Manual 
Flight Crew Operating Manual 

Flight Crew Training Manual 

Flight data recorder 

Fire detection unit 

Failure modes effects and criticality analysis 
Flight management system 

Group quality procedure 

Hucknall Casings and Structures 

High pressure 

High pressure stage 3 
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International Aerospace Quality Group 
International Civil Aviation Organization 
Intermediate pressure 
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Intermediate pressure turbine overspeed protection system 
International Organisation for Standardisation 
Joint Aviation Requirements 
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SFAR Special Federal Aviation Regulation 
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VQAR Virtual quick access recorder 
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1.1 


1.1.1 


FACTUAL INFORMATION: OCCURRENCE 
FLIGHT 


Sequence of events 


In-flight engine failure 


On 4 November 2010, at 01:56:47 Coordinated Universal Time (UTC),' an Airbus 
A380 aircraft (A380), registered VH-OQA and being operated as Qantas flight 32, 
departed from runway 20 centre (20C) at Changi Airport, Singapore, for Sydney, 
Australia. On board were five flight crew,? 24 cabin crew and 440 passengers. 


Following a normal takeoff, the crew retracted the landing gear and flaps and 
changed the thrust setting to climb. At about 02:01, while maintaining 250 kt in the 
climb and passing 7,000 ft above mean sea level (AMSL), the crew heard two, 
almost coincident ‘loud bangs’. The captain immediately selected altitude and 
heading hold mode on the auto flight system control panel. 


The crew reported that there was a slight yaw and the aircraft levelled off in 
accordance with the selection of altitude hold. The captain stated that he expected 
the aircraft’s autothrust system to reduce thrust on the engines to maintain 250 kt as 
the aircraft levelled off. However, the autothrust system was no longer active, so he 
manually retarded the thrust levers to control the aircraft’s speed. 


Initial ECAM actions 


The electronic centralised aircraft monitoring (ECAM)? (Figure 1) displayed a 
message indicating a No. 2 engine turbine overheat warning. Soon after, the ECAM 
began displaying multiple messages (Appendix A). The captain confirmed with the 
other flight crew that he had control of the aircraft and instructed the first officer to 
commence the procedures as presented on the ECAM. 


The procedure for the overheat message was to move the affected engine’s thrust 
lever to the idle position and to monitor the situation for 30 seconds. During that 
30 second monitoring period, at 02:02:00, the crew transmitted a PAN to 
Singapore air traffic control (ATC). The first officer also reported observing an 
ECAM warning of a fire in the No. 2 engine that was displayed for about 1 to 


Singapore local time was UTC - 8 hours. 


The flight crew comprised the normal operating crew (captain and first officer) with the addition 
of a second officer for crew relief purposes. This flight also carried a check captain under training 
and a supervising check captain, who was supervising the check captain under training. AII flight 
crew were located in the cockpit. 


The ECAM provides information to the crew on the status of the aircraft and its systems. It also 
presents the required steps of applicable procedures when an abnormal condition has been 
detected by the monitoring system. 


An internationally recognised radio call announcing an urgency condition which concerns the 
safety of an aircraft or its occupants but where the flight crew does not require immediate 
assistance. 


2 seconds, before the ECAM reverted to the overheat warning and reinitiated the 
30 second monitoring period. As part of the turbine overheat procedure, the crew 
elected to shut down the No. 2 engine. During the shutdown procedure, the ECAM 
displayed a message indicating that the No. 2 engine had failed. 


A damage assessment as part of the engine failure procedure suggested that the 
damage to the No. 2 engine was serious and the flight crew discharged one of the 
engine's two fire extinguisher bottles. Contrary to their expectation, the flight crew 
did not receive confirmation that the fire extinguisher bottle had discharged. They 
repeated the procedure for discharging the fire extinguisher and again did not 
receive confirmation that it had discharged. 


The flight crew recalled that, after a brief discussion, they followed the procedure 
for discharging the second fire extinguisher bottle into the No. 2 engine. After 
completing that procedure twice, they did not receive confirmation that the second 
bottle had discharged. They then elected to continue the engine failure procedure, 
which included initiating a process of fuel transfer. 


The engine/warning display indicated that the No. 2 engine had changed to a failed 
mode, No. 1 and 4 engines had reverted to a degraded mode? and that No. 3 engine 
was operating in an alternate mode (Figure 1). 


Figure 1: Engine/warning display 


Image source: Image taken during the occurrence flight; supplied by a flight crew member. 


Managing the situation 


The flight crew discussed the available options to manage the situation, including 
an immediate return to Singapore, climbing or holding. As the aircraft remained 
controllable, and there was ample fuel on board, it was decided that the best option 
would be to hold at the present altitude while they processed the ECAM messages 
and associated procedures. The flight crew recalled frequently reviewing this 
decision and assessing the amount of fuel on board. 


The flight crew contacted ATC and advised that they would need about 30 minutes 
to process the ECAM messages and associated procedures, and requested an 


^  Degraded or alternate engine mode indicates that some air data or engine parameters are not 


available. 


appropriate holding position in order for that to occur. ATC initially cleared the 
flight crew to conduct a holding pattern to the east of Singapore. Following further 
discussion amongst the flight crew, ATC was advised that a holding area within 

30 NM (56 km) of Changi Airport was required. ATC acknowledged that 
requirement and directed the aircraft to a different area to the east of the airport and 
provided heading information to maintain the aircraft in an approximately 20 NM 
(37 km) long racetrack holding pattern at 7,400 ft (Figure 2). ATC also advised of 
reports that a number of aircraft components had been found by residents of Batam 
Island, Indonesia. 


Figure 2: Flight path during the event 
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Image source: Google Earth. 


Observations of the aircraft's damage from the cabin 


At the time of the engine failure, the seat belt sign was on and all cabin crew and 
passengers were seated. Cabin crew and passengers observed damage to the 
aircraft’s left wing and fuel escaping from that wing. The customer service manager 
(CSM) and other cabin crew attempted to contact the captain at that time to report 
the observed damage, however, the flight crew did not respond. 


While the flight crew continued to process the ECAM messages and associated 
procedures, the second officer went into the cabin to visually assess the damage. As 
the second officer moved through the cabin, a passenger, who was also a pilot for 
the operator, brought his attention to a view of the aircraft from the vertical fin- 
mounted camera that was displayed on the aircraft's in-flight entertainment system. 
That display showed a fuel leak from the left wing. 


The second officer proceeded to the main (lower) deck and observed damage to the 
left wing and fuel leaking from the wing. He recalled that the leak appeared to be 
coming from underneath the wing in the vicinity of the No. 2 engine, and that the 
trail was about 0.5 m wide (Figure 3). He reported that he could not see the turbine 


area of the No. 2 engine from anywhere within the cabin. The second officer 
returned to the cockpit and reported his observations to the other members of the 
flight crew. 


The captain and the supervising check captain made a number of public address 
(PA) announcements during the flight to inform the cabin crew and passengers of 
the situation and to provide updates when required. 


Figure 3: Fuel leaking from the left wing 
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Image source: Supplied by a passenger. 


Completion of ECAM procedures 


The flight crew reported that, during their assessment of subsequent multiple fuel 
system ECAM messages, they elected not to initiate further fuel transfer as they 
were unsure of the integrity of the fuel system. In addition, the flight crew could not 
jettison fuel due to damage to the fuel management system. 


The flight crew also received an aircraft communications addressing and reporting 
system (ACARS)* message from the aircraft operator that indicated that multiple 
failure messages had been received from the aircraft by the operator. At the time, 
the flight crew were busy managing the ECAM messages and procedures, and only 
had time to acknowledge but not respond to that ACARS message. 


Tt took about 50 minutes for the flight crew to complete all of the initial procedures 
associated with the ECAM messages. 
Preparations for landing 


On completion of the ECAM procedures, the flight crew assessed the aircraft's 
systems to determine their functionality and the effect of any failures or inoperative 


6 A wireless communication system that was used to transmit and receive data and text messaged to 


and from the aircraft. 


systems on further operations. This included attempting to calculate the landing 
distance using the landing performance application (LPA)’ (section 1.14). 


The inoperative wing leading edge lift devices, reduced braking function, reduced 
number of operational spoilers and inactive left engine thrust reverser? resulted in 
an abnormal landing configuration, which in turn affected the landing distance 
calculation. After some initial difficulty in calculating the landing distance required 
due to the high number of system and flight control malfunctions, the flight crew 
determined that a landing within the distance available on runway 20C at Changi 
Airport was achievable and proceeded on that basis. 


The flight crew advised ATC that on landing they required emergency services, and 
that the aircraft was leaking fuel from the left wing. The captain called the CSM on 
the interphone to advise him of the potential for a runway overrun and evacuation, 
and the CSM and cabin crew prepared the cabin for this possibility. 


Prior to leaving the holding pattern, the crew discussed the controllability of the 
aircraft and conducted a number of manual handling checks. The crew determined 
that the aircraft remained controllable, and advised ATC that they required a long 
final approach to runway 20C. 


The approach and landing 


The flight crew progressively configured the aircraft for the approach and landing 
and conducted further controllability checks in each new configuration. As a result 
of the damage to the aircraft, extending the landing gear required use of the 
emergency extension procedure.? 


Singapore ATC radar vectored the aircraft to a position 20 NM (37 km) from the 
threshold of runway 20C and provided for a progressive descent to 4,000 ft. The 
captain set engines No. 1 and 4 to provide symmetrical thrust, and controlled the 
aircraft's speed with thrust from No. 3 engine. 


Following the engine failure and subsequent system damage, the autopilot remained 
operational. The captain, as the handling pilot, continued to fly the aircraft using the 
autopilot during the time that the crew managed the ECAM procedures. The captain 
manually disconnected the autopilot to conduct control checks to assess the 
handling qualities of the aircraft, before re-engaging it. The autopilot disconnected 
twice during the approach—these were automatic disconnections in response to pre- 
set functions within the autopilot system relating to the aircraft's angle of attack. 
When the autopilot disconnected for the second time (at about 800 ft) the captain 
elected to leave it disconnected and manually fly the aircraft for the remainder of 
the approach. 


The aircraft touched down at 03:46:47 and the captain applied the brakes and 
selected reverse thrust on the No. 3 engine. The flight crew observed that the 
deceleration appeared to be ‘slow’ in the initial landing roll, but that with the 
braking effort being used and reverse thrust, the aircraft began to slow. The captain 
recalled feeling confident that, as the speed approached 60 kt, the aircraft would be 


A computer application within the aircraft's onboard information system (OIS) used to calculate 
aircraft landing performance. 


The A380 is equipped with thrust reversers on the inboard (No. 2 and 3) engines only. 


An alternative method of extending the landing gear using gravity. 


1.1.2 


able to stop in the remaining runway. The No. 3 engine was gradually moved out of 
maximum reverse thrust and manual braking was continued until the aircraft came 
to a stop about 150 m from the end of the runway. The aircraft was attended by 
emergency services. 


Events on the ground following the landing 


On completion of the landing roll, the flight crew commenced shutting down the 
remaining engines and, when the final engine master switch was selected OFF, the 
aircraft's electrical system went into a configuration similar to the emergency 
electrical power mode. That rendered all but one of the aircraft' s cockpit displays 
inoperative (blank), and meant that there was only one very high frequency (VHF) 
radio available to the crew. 


It was reported that, just before the cockpit displays went blank, a number of the 
flight crew noticed that the left body landing gear brake temperature was indicating 
900 ?C, and rising. After some initial confusion about which radio was functioning, 
the first officer contacted the emergency services fire commander, who asked for 
the No. 1 engine to be shut down. The first officer responded that they had done so 
already, but was advised again by the fire commander that the engine continued to 
run. 


The flight crew briefly discussed the still-running No. 1 engine and recycled the 
engine master switch to OFF, but the engine did not shut down. In response, the 
flight crew decided to press the engine fire push button and then fire extinguisher 
bottles in an attempt to shut down the engine. This was also ineffective and the 
engine continued to run. At this stage, the fire commander indicated that there 
appeared to be fuel leaking from the aircraft's left wing. The first officer advised 
the commander of the hot brakes and requested that fire retardant foam be applied 
over the leaking fuel. The firefighters had already commenced laying a foam 
blanket over the fuel leak in accordance with the airport emergency services 
standard operating procedures. 


The flight crew then discussed the options for disembarking the passengers. The 
captain made a PA announcement to the cabin crew and passengers to advise them 
of the situation, and that the emergency services were dealing with a fluid leak from 
the left side of the aircraft. After accessing the necessary checklists relating to the 
evacuation of the passengers and crew, and with the knowledge that the fire risk 
was being managed and had decreased, the crew decided that a precautionary 
disembarkation via stairs on the right of the aircraft would be the safest course of 
action. 


The flight crew elected to use a single door for the disembarkation so that the 
passengers could be accounted for as they left the aircraft and to keep the remainder 
of the right side of the aircraft clear in case of the need to deploy the escape slides. 
They also decided to leave the remaining doors armed, with cabin crew members at 
those doors ready to activate the respective escape slides until all of the passengers 
were off the aircraft. About 13 minutes after the aircraft landed, the flight crew 
asked the fire commander to have stairs brought to the right of the aircraft and to 
arrange for buses to move the passengers to the terminal. Consideration of how to 
shut down the No. 1 engine continued, with some flight crew members contacting 
the operator via mobile phone to seek further assistance. 


1.2 


1.3 


Stairs arrived at the aircraft about 35 minutes after landing and the first bus arrived 
about 10 minutes later. Passengers commenced disembarking from the aircraft via 
the No. 2 main (lower) deck forward door about 50 minutes after the aircraft 
touched down. The last passengers disembarked the aircraft about 1 hour later. 


Throughout the disembarkation, the flight crew, under advice from the operator's 
maintenance personnel, attempted to shut down the No. 1 engine through various 
alternative means. That included activating a series of circuit breakers in the 
aircraft’s equipment bay and reconfiguring the transfer valves in the aircraft’ s 
external refuelling panel to transfer fuel away from the engine. All of these attempts 
were unsuccessful. 


Maintenance personnel also attended the aircraft and attempted a number of 
methods to shut down the engine, each without success. Finally, the decision was 
taken by the operator to ‘drown’ the engine, initially with water and then with fire 
fighting foam from the airport emergency services fire vehicles (Figure 4). The 
No. 1 engine was reported to have been shut down at 06:53:00, about 3 hours after 
the aircraft landed. 


Figure 4: Fire-fighters ‘drowning’ the No. 1 engine with foam 


Injuries to persons 


There were no reported injuries to the crew or passengers. There were no confirmed 
injuries to persons on Batam Island. 


Damage to the aircraft 


Initial inspection revealed that the No. 2 engine sustained an uncontained failure in 
the turbine region and that debris from the engine damaged the airframe and 
systems. 


1.3.1 No. 2 engine damage 


There was damage to the cowling and thrust reversers towards the rear of the engine 
and sooting on the rear section of the cowl (Figure 5). There was extensive damage 
to the turbine region of the engine, detail of which is covered in Part 2 of this report. 


Figure 5: General damage to the No. 2 engine 
Vwi FF BGtJS.UE tale uc. T 


1.3.2 Airframe damage 


Liberated material from the uncontained engine failure resulted in significant 
damage to the airframe structure and systems. The structural damage included the: 


e No. 2 engine support structure (Figure 6) 


* left wing upper and lower skins, front spar and internal ribs (Figure 7 and 
Figure 8) 


* left wing-to-fuselage joint (indentation and scoring). 


Figure 6: Damage to the No. 2 engine support structure 
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Figure 7: Examples of damage to the left wing 
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Image source: Supplied by a passenger. 


Figure 8: Example of internal damage to the left wing (looking forward and up) 


In addition to the damage to the primary structure, the left wing lower skin, fuselage 
skins and vertical and horizontal stabilisers contained numerous indentations and 
score marks from debris impacts. Further information on the airframe damage is 
contained in Appendix B. 


System effects 


The debris from the engine failure directly damaged a number of systems and a 
number of other systems were affected as a result. Although some systems 
sustained direct mechanical damage, most of the affected systems were damaged 
through debris impact to the respective wiring looms. T'wo main wiring looms were 
impacted by debris; one running through the leading edge of the left wing 

(Figure 9), and the other in the belly fairing (Figure 10). This amounted to damage 
to about 650 wires in total. 
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Figure 9: Example of wiring damage in the left wing (looking rearwards) 


The following systems were affected either as a direct result of the damage from the 
engine failure, or due to actions taken by the flight crew as part of the ECAM 
procedures: 


* Hydraulic power, as a result of: 
— the loss of function to the aircraft's green hydraulic system 


— reduced redundancy within the aircraft's other (yellow) hydraulic 
system. 


* Electrical power, resulting from: 


— aloss of electrical power generation at engines No. 1 and 2 


Lo 


— the loss of one of the aircraft's four alternating current (AC) systems 


— the inability to connect the aircraft's auxiliary power unit (APU) 
generators on the ground. 


* Flight controls, through: 
— reduced aileron and spoiler function 
— the loss of wing leading edge slats and droop nose function.” 
* Engine control, as a result of: 
— loss of autothrust function 
— reduction in the automatic control function to engines No. 1, 3 and 4. 
e The landing gear normal extension function was no longer available. 
* Braking, through a: 
— reduction of function in the right wing gear brakes (including anti-skid) 
— loss of function to the left wing gear brakes. 
* Partial loss of bleed air, resulting from damage to the: 
— left wing system ducting 
— APU bleed air ducting. 
e Fuel system, resulting from: 
— fuel leakage from the No. 2 engine feed tank 


— aloss of function to the engines No. 1 and 2 low pressure fuel shutoff 
valves 


— the loss of function to the No. 1 engine high pressure shutoff valve 


— loss of function of numerous fuel system components (valves and/or 
pumps) 
— degradation of the fuel quantity management system 


— areduction in capability of the automatic and manual fuel transfer 
function 


— disabling the fuel jettison system. 


* Engine fire protection, as a result of a loss of function to one of the two 
extinguisher bottles in engines No. 1 and 2. 


Further information on the damage to aircraft's systems is contained in Appendix B. 


Other damage 


A significant amount of debris from the aircraft fell over about 1.5 square km on 
Batam Island (Figure 11). A number of engine and other components were 
recovered from the island with the assistance of the local residents, Indonesian 
police, the National Transportation Safety Committee (NTSC) of Indonesia and the 
engine manufacturer. 


10 A leading edge lift augmentation device. 
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1.5 


Figure 11: Debris distribution on Batam Island 


Image source: Google Earth. 


A section of the intermediate pressure turbine disc (about 4096 of the disc) from the 
No. 2 engine was recovered from a property on Batam Island (Figure 12). Despite a 
search carried out over several days, no other significant fragments of the turbine 
disc were recovered. A number of other engine components were recovered, 
including sections of engine cowling and other components from the No. 2 engine. 


Several buildings and other property were damaged by the debris. 


Figure 12: Property damage from a section of the No. 2 engine turbine disc 


es: = 
Image source: Courtesy of the ‘Posmetro’ newspaper, Indonesia. 


Personnel information 


All crew reported that they were adequately rested prior to commencing duty on the 
morning of the occurrence. 


Each flight crew member’s aeronautical experience at the time of the occurrence is 
outlined in the following paragraphs. 
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1.5.1 


1.5.2 


1.5.3 


Captain 


The captain held an Airline Transport Pilot (Aeroplane) Licence (ATPL(A)). He 
was endorsed on and operated Boeing 747, 747-400 and Airbus A330 aircraft 
before commencing operations on the A380. The captain completed his A380 
endorsement on 11 April 2008 and his last proficiency check prior to the occurrence 
was completed on 14 October 2010. He held a valid Class 1 Medical Certificate 
with a requirement to wear reading glasses for vision correction. 


The captain’s aeronautical experience is outlined in Table 1. 


Table 1: Captain's aeronautical experience 


Total flying hours 15,140.4 
Total flying hours in the A380 570.2 
Total flying hours in the last 90 days 78.1 
Total flying hours in the last 30 days 34.1 
Total flying hours in the last 7 days Nil 
First officer 


The first officer held an ATPL(A) and was endorsed on and had operated 

Boeing 747, 767, Airbus A330 and A340 aircraft before commencing operations on 
the A380. He completed his A380 endorsement on 29 August 2008 and his last 
proficiency check prior to the occurrence was completed on 16 September 2010. 
The first officer held a valid Class 1 Medical Certificate with no restrictions. 


The first officer’s aeronautical experience is outlined in Table 2. 


Table 2: First officer's aeronautical experience 


Total flying hours 11,279.5 
Total flying hours in the A380 1,271.0 
Total flying hours in the last 90 days 127.5 
Total flying hours in the last 30 days 35.3 
Total flying hours in the last 7 days 35.2 


Second officer 


The second officer held an ATPL(A) and was endorsed on and had operated 
Boeing 747 aircraft before commencing operations on the A380. He completed his 
A380 endorsement on 15 February 2009 and his last proficiency check prior to the 
occurrence was completed on 27 October 2010. The second officer held a valid 
Class 1 Medical Certificate with no restrictions. 


The second officer’s aeronautical experience is outlined in Table 3. 
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Table 3: Second officer's aeronautical experience 


Total flying hours 8,153.4 

Total flying hours in the A380 1,005.8 

Total flying hours in the last 90 days 151.7 

Total flying hours in the last 30 days 34.7 

Total flying hours in the last 7 days 33.6 
1.5.4 Check captain 


The check captain held an ATPL(A) and was endorsed on and had operated 
Boeing 747, 747-400 and 767 aircraft before commencing operations on the A380. 
He completed his A380 endorsement on 1 March 2009 and his last proficiency 
check prior to the occurrence was completed on 31 October 2010. The check 
captain held a valid Class 1 Medical Certificate with a requirement for reading 
correction to be available while exercising the privileges of the licence. 


The check captain's aeronautical experience is outlined in Table 4. 


Table 4: Check captain's aeronautical experience 


Total flying hours 20,144.8 

Total flying hours in the A380 806.4 

Total flying hours in the last 90 days 151.7 

Total flying hours in the last 30 days 34.7 

Total flying hours in the last 7 days 6.4 
1.5.5 Supervising check captain 


The supervising check captain held an ATPL(A) and was endorsed on and had 
operated Boeing 747, 747-400, 767 and Airbus A330 aircraft before commencing 
operations on the A380. He completed his A380 endorsement on 27 June 2008 and 
his last proficiency check prior to the occurrence was completed on 1 November 
2010. The supervising check captain held a valid Class 1 Medical Certificate with a 
requirement for reading correction to be available while exercising the privileges of 
the licence. 


The supervising check captain's aeronautical experience is outlined in Table 5. 


Table 5: Supervising check captain's aeronautical experience 


Total flying hours 17,692.8 
Total flying hours in the A380 1,345.9 
Total flying hours in the last 90 days 189.3 
Total flying hours in the last 30 days 59.9 
Total flying hours in the last 7 days 10.6 
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1.6 


1.6.1 


1.6.2 


Aircraft information 


General 


The aircraft was a low-wing, high capacity transport category aircraft that was 
manufactured in France in 2008 (Figure 13). The aircraft could carry 259,471 kg of 
usable fuel (at 0.80 kg/litre) and about 450 passengers on two decks in various 
classes. The aircraft information is summarised in Table 6. 


Figure 13: Airbus A380-842 


Image modified from an Airbus-supplied model 


Table 6: Aircraft information 


Manufacturer Airbus 
Type A380-842 
Serial number 0014 
Total hours 8,533.02 
Total cycles 1,843 
Year of manufacture 2008 


Certificate of Registration 


4 September 2008 


Certificate of Airworthiness 


18 September 2008 


Maximum take-off weight 569,000 kg 
Actual take-off weight 464,040 kg 
Maximum landing weight 391,000 kg 
Actual landing weight 431,712 kg 


Engine 


The aircraft was fitted with four Rolls-Royce plc RB211 Trent 972-84 high-bypass 
turbofan engines. The engines were numbered 1 to 4 from left to right (Figure 14). 
A description of the engine and details of the damage sustained by the No. 2 engine 
are contained in Part 2 of this report. 
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Figure 14: Engine positions 
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Image modified from an Airbus-supplied model 


Meteorological information 


Meteorological observations were taken at Changi Airport every 30 minutes. 
Between 00:00:00 and 04:00:00 the surface winds varied from 3 to 6 kt and were 
from the south-south-west. No significant weather was observed within the vicinity 
of the airport. Weather radar images indicated that there were no areas of 
precipitation between Singapore and Batam Island during the occurrence. 


The flight crew reported weather conditions that were consistent with the recorded 
data, and that the flight was conducted in visual conditions. 


Communications 


Communication to and from the aircraft 


In flight 


Communication between the aircraft and ATC was through VHF radio. All of the 
communications with and by ATC were recorded and, on examination, found to be 
clear, with no communication issues reported. 


On the ground 


As previously discussed, following completion of the engine shutdown procedure, 
there was only one VHF radio available for flight crew communication with the 
ATC ground controller and the airport emergency services (AES) commander. It 
took the crew 2 to 3 minutes to establish direct communication with the AES 
commander via VHF radio. The AES commander reported that he was absent from 
his vehicle for a short period, during which he was assessing the situation and initial 
response of the fire fighting resources. 


The flight crew used a mobile telephone to communicate with the operator’s 
maintenance personnel. 


AT 
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Communication between the cabin and the cockpit 


A number of cabin crew reported that they attempted to contact the flight crew 
immediately after the engine failure using the cabin interphone system, but were 
unsuccessful. This included an attempt by the CSM to contact the flight crew via 
the EMERGENCY contact selection on the cabin interphone system. The 
emergency contact function illuminated a light on the cockpit overhead panel 
(Figure 15) and sounded the flight deck horn. The flight crew reported that they 
associated the emergency contact-activated flight deck horn with the ongoing 
warnings from the ECAM and so cancelled the horn without recognising its 
association with the cabin interphone system emergency contact function. 


Figure 15: Location of the cabin emergency call light 


Emergency 
call light 


Observation: 


Given the crews' attention on the ECAM and the associated procedures, the location of 
the cabin emergency call light and the tone of the warning horn were not sufficient to 
obtain the flight crew's attention. Although this did not result in an unsafe situation, the 
lack of conspicuity of the cabin emergency call function delayed the transfer of 
potentially important information to the flight crew. 


Aerodrome information 


Runways 


Changi Airport had three parallel runways oriented north-north-east to 
south-south-west on magnetic headings of 023°/203°. Those runways were 
designated 02/20 left (L), centre (C) and right (R) indicating their relative position 
when looking along the runway. Runways 20C and 20R were the longest runways 
available, both being 4,000 m long and 60 m wide. The aircraft departed from and 
landed on runway 20C. 
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Emergency services 


The airport was designated as a category 10 aerodrome“ for the purposes of rescue 
and fire fighting support and had a full-time AES. 


In responding to the PAN call from the aircraft, the local AES turned out 8 fire 
fighting vehicles and 20 firefighters to deal with the aircraft and passenger safety. 
Additional ground staff attended the aircraft in response to requests for stairs and 
busses. In dealing with the on-ground phase, the AES reported that they used 
60,000 L of water, 3,500 L of fire fighting foam and 18 kg of dry chemical powder. 


On-board recorded information 


Flight recorders 


The aircraft was equipped with the following flight recorders: 
e a flight data recorder (FDR) 
* acockpit voice recorder (CVR) 
e a wireless digital aircraft condition monitoring system recorder. 


The fitment of FDR and CVR equipment was mandatory for this aircraft. The 
parameters to be recorded on the FDR and the audio to be recorded on the CVR 
were defined by regulation. The recorded flight and audio data was stored within 
each recorder's crash-protected memory module. 


Initial examination of the FDR data showed that it contained recorded data from the 
entire flight; this was consistent with the capability of the recorder. 


The CVR audio recording was of 2 hours duration, as required by the relevant 
legislation. This recording commenced during the landing approach and continued 
during the subsequent ground operations. 


Isolation of the CVR 


After the passenger disembarkation process was completed, representatives from 
the Air Accident Investigation Bureau (AAIB) of Singapore approached the flight 
crew to request the isolation of the CVR. The representatives were concerned that, 
as the No. 1 Engine was still running, the CVR could still be powered and audio 
data from 2 hours previous was being overwritten. The flight and ground crews 
attempted to isolate the CVR but without success. The CVR using the endless loop 
principle continued recording, consequently overwriting the oldest audio data. 


At the time of the occurrence, the operator did not have, and was not required by 
Australian aviation regulation to have a procedure that would enable the CVR to be 
isolated in conditions of this nature. In contrast, Singapore legislation stated that 
reasonable measures may be taken to preserve any object or evidence deemed 


!! Category 10 was defined in the International Civil Aviation Organization (ICAO) Annex 14 — 


Aerodromes as having the capacity to provide fire fighting and rescue support for aircraft with 
wingspans of between 76 m and 89 m, with a maximum fuselage width of 8 m. The A380 has a 
wingspan of 79.75 m and a fuselage width of 7.14 m. 
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necessary for the purposes of the investigation. See Appendix C for further 
discussion on this subject. 


Observations: 


The CVR recording capability met the 2 hour requirement; however, in this occurrence 
this was not adequate to record both the engine failure event and the subsequent 
ground operations. CVR audio prior to and around the time of the engine failure would 
have been extremely useful to this investigation in examining the crew resource 
management response to the event and exact ECAM sequences. The CVR audio would 
have been able to provide a correlation with other sources of flight information allowing 
the ATSB to more quickly develop an understanding of the technical issues and the 
flight crew's response. 


The overwriting of the CVR in this event was cited in a Working Paper presented by the 
ATSB to the ICAO flight recorder working panel in October 2012, to support the panel 
proposal for increased CVR duration. This proposal resulted in a recommendation by 
the panel to the ICAO Air Navigation Committee in January 2013" to extend the 
mandated CVR recording capability to 15 hours. 


Two aircraft network server units (ANSU) formed part of the aircraft's computer 
network architecture and contained duplicate recorded data sets from the FDR, 
aircraft condition monitoring system and the aircraft's centralised maintenance 
system (CMS). These data sets included a virtual quick access recorder, smart 
aircraft condition monitoring system recorder (SACMSR), aircraft system reports 
and post-flight reports from the CMS. 


Additional recorded information was available from the engine monitoring unit 
(EMU) and engine electronic control (EEC) on each engine. The EMU and EEC 
data included detailed information specific to the operation of that engine. 


Details of the recording systems and analysis of the data contained in those systems 
is in Appendix C. 


Fire 


No. 2 engine external fire 


Following the uncontained engine failure, an external fire developed in the lower 
left region of the No. 2 engine nacelle. A portion of the thrust reverser assembly 
was burnt in the fire (Figure 16). 


? AN-WP/8697 dated 29/01/13 amending Annex 6 Part 1. 
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Figure 16: No. 2 engine showing fire damage to the lower left engine nacelle 
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Initial on-site inspection identified that the fire was most intense in the lower left 
thrust reverser section and in the lower bifurcation" (Figure 17 and 18). Sooting, 
glazing and the effects of heat were observed on a number of electrical, air, oil and 
hydraulic supply lines and the nacelle anti-ice bleed air ducts within the core 
section, lower bifurcation and accessories section (on the fan casing). A significant 
amount of oil was smeared on the lower panel of the thrust reverser cowl 

(Figure 18). 


'3 A vertical space within the thrust reverser section where the left and right half of the thrust 


reverser cowls join. The lower bifurcation provides a space for the various service pipes to be 
routed between the core section of the engine and the accessories section on the fan case. 


c9. 


Figure 17: Example of fire damage in lower the bifurcation (looking to the 
forward and right of the No. 2 engine) 
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Figure 18: Left thrust reverser section (looking at the lower surface of the 
engine) 


During the subsequent engine inspection, it was noted that an oil supply pipe to the 
HP/IP and low pressure (LP) turbine bearings that was located within the lower 
bifurcation had been severed and was kinked forward (Figure 19). That damage was 
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directly below the breach in the engine case and was consistent with being a 
consequence of the uncontained engine failure. The damage to the supply pipe was 
also coincident with a region of intense burning on the thrust reverser inner fixed 
structure. 


Figure 19: Representation of the position of the oil supply pipe to the HP/IP 
and LP turbine bearing chambers (severed and bent forwards 
during the engine failure sequence) 


The nacelle anti-ice bleed air duct passed through the lower bifurcation. The bleed 
air was taken from the engine's high pressure compressor and had a temperature of 
around 500 ?C. The duct was not insulated and there were a number of holes in the 
duct. 


The ATSB recovered less that 0.5 L of oil from the No. 2 engine. The recorded data 
indicated that the engine oil quantity decreased from 13.5 L to a small quantity in 
around 45 seconds following the uncontained failure. 


Engine fire detection system and warnings 


The engine fire detection system consisted of five detectors as shown in Figure 20. 
The detectors could provide any of three signals to the fire detection unit: 
NORMAL, FAULT or FIRE. Each of those detectors had two signal channels, or 
‘loops’ (A and B) that sent a signal to the fire detection system. 
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Figure 20: Fire detector layout 
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Image source: Rolls-Royce RB211-Trent 900 Line and Base Maintenance training guide. 


During the event, the power supply to No. 2 engine loop A was interrupted when 
the cable was cut by debris, resulting in a FAULT condition on all of the fire 
detectors in that loop. The recorded data showed that faults were also detected in 
loop B of the Zone 2 and 3 detectors. This meant that the only remaining operable 
engine fire detectors were in zone 1 (the fan casing). 


The recorded data showed that at 02:01:52 the No. 2 engine thrust lever was 
advanced (Figure 21). There were increases in the zone 1 temperature that followed 
further thrust lever inputs, suggesting a correlation. That apparent correlation 
became more significant at higher thrust lever settings. When the thrust lever was 
returned to idle at 02:02:39 the temperature in that zone stabilised. 


At 02:02:25 a fire warning was displayed for 2 seconds before being reset. 
Figure 21 shows that around this time the temperature in zone 1 had increased to 
about 107 °C and shortly after rapidly increased further, reaching a maximum of 
about 140 °C before slowly decreasing. 
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Figure 21: Engine fire — key data 
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Final Data 


Engine fire suppression system 


The engine fire suppression system consisted of two fire extinguishing bottles for 
each engine, a control subsystem and a distribution subsystem (Figure 22). A 
post-flight inspection of the aircraft revealed that one of the No. 2 engine's fire 
bottles had discharged. 


The aircraft manufacturer determined that the damage to the wiring from the 
uncontained engine failure had prevented the discharge of the second bottle and the 
provision to the flight crew of an indication of the status of the bottles. This 
prevented an accurate determination of when the crew attempted to activate the fire 


suppression system. 
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PRESSURE SWITCH 


Figure 22: Fire suppression system for engine No. 1 (similar system for 


engines No. 2, 3 and 4) 
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Image source: Rolls-Royce RB211-Trent 900 Line and Base Maintenance training guide 
Note: FDU = fire detection unit 


Observations: 


The evidence was consistent with the commencement of a fire in the engine No. 2 thrust 
reverser lower bifurcation duct when an oil line was severed by ejected material during 
the uncontained engine failure. The specific ignition source was unable to be 
conclusively determined, however, the region had a number of sources of hot air 
(nacelle anti-ice bleed air and hot gases released from the engine after the failure) and 
hot surfaces that were sufficient to ignite any leaking oil in that area. 


Although there was no direct measurement of the temperature in the area, a nearby fan 
casing measurement showed that the temperature in the region continued to rise after 
the engine oil quantity had depleted. This is consistent with a local fire, where the pipe 
had been severed, and a larger area fire in the lower section of the thrust reverser. This 
was itself consistent with oil pooling in the bottom of the nacelle where an intense fire 
burnt the thrust reverser and entered the accessory gearbox area (zone 1). It is likely 
that the rear fire detector in zone 1 triggered the No. 2 engine fire warning. 


Although the temperature in zone 1 levelled out then slowly decreased when the thrust 
levers were returned to idle, a direct relationship between the zone 1 temperature and 
thrust lever movement could not be established with certainty. Other possible reasons 
for the reduction in the zone 1 temperature included the consumption or loss overboard, 
and therefore removal as an energy source, of the pooled oil in the lower bifurcation, or 
as a result of the discharge of the fire bottle. 


Internal wing flash fire 


Immediately following the engine failure, a passenger who was seated on the upper 
left deck of the aircraft, reported observing a fire coming from the hole through the 
left upper wing structure (Figure 7). The passenger reported to the ATSB that he 
observed a fire that lasted for about 5 to 6 minutes. None of the flight crew reported 
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observing any fire, any evidence of a fire, or being aware of a fire in that area of the 
left wing. 


The ATSB examined the left wing and found a region inside the left inner fuel tank 
that had a dark residue on the wall surfaces (Figure 23). A similar dark residue was 
also found behind the hole in the exterior upper wing surface. Samples of that 
residue were tested in an independent laboratory, where those residues were 
determined to be consistent with products of combustion. The painted surfaces 
immediately underneath the residue did not exhibit any thermal damage, 
discolouration or blistering. 


Figure 23: Dark residue in left inner wing fuel tank (looking up and forward) 


The ATSB conducted a detailed inspection of the left inner fuel tank region to 
identify potential sources of ignition. The surface temperature of the turbine disc 
fragment and the frictional effects associated with the passage of the fragment 
would have been sufficient to ignite the fuel vapour within the tank volume. No 
other potential sources of ignition were identified as being sufficient to have 
initiated the fire. 


The ATSB determined that the conditions within the tank were suitable for a short 

duration (flash) fire; however, they were not suitable to sustain the fire. A detailed 

report of the ATSB's examination and analysis of the fire in the left inner fuel tank 
is at Appendix D. 


Observation: 


The ATSB determined that the passenger had a clear view of the No. 2 engine through 
the damaged section of the wing. The duration of the fire observed by the passenger 
probably indicated that they observed the No. 2 engine external fire (as discussed in 
section 1.11.1) through the holes in the left inner fuel tank, rather than the flash fire. 
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Brake overheat 


The AES reported that after the aircraft came to rest, they observed smoke emitting 
from the left body gear wheels. The emergency responders described an ‘incipient 
fire' developing in the landing gear, and that the tyres had deflated. As a precaution, 
they discharged dry powder fire retardant in that area. 


Even though there was evidence that components of the left wing body gear wheels 
were affected by high temperatures, a post-flight inspection revealed no evidence of 
a fire, such as melting or charring, in any of the affected wheels. 


Survival aspects 


There were no injuries as a direct result of the uncontained engine failure and the 
cabin environmental systems remained functional during the occurrence and return 
to Changi Airport. 


Portable electronic devices 


After the passengers boarded, as part of the normal departure procedures, the cabin 
crew made a public address announcement requiring that all portable electronic 
devices (PEDs) were to be switched off and could not be turned on again until the 
aircraft had reached cruising altitude and the seat belt sign had been turned off. The 
engine failure occurred prior to the aircraft reaching cruise altitude and, after the 
failure, the seat belt sign remained on for the rest of the flight. Therefore, the 
conditions under which passengers could use PEDs were not met and permission to 
use them was not given. The cabin crew reported that additional PA announcements 
were made following the engine failure instructing passengers to remain seated with 
their seat belts fastened and to keep PEDs switched off. 


Video and still images showed that some of the passengers did not comply with the 
crew's instructions, such as: 


* moving about the cabin when they had been instructed to remain seated 


* using PEDs during flight, and in particular during the approach, landing and 
post landing phases, when instructed to switch them off. 


Observation: 


Although the images taken by the passengers during the flight provided supplemental 
information to the ATSB, the use of PEDs has a number of known safety risks. Specific 
to this accident is the potential for interference with aircraft systems and the risk of 
passenger distraction at critical times during the emergency situation. 


Although it is difficult to replicate the effects from interference from PEDs on aircraft 
Systems, there is strong anecdotal evidence to show that they can have a detrimental 
effect. "^ This can include erroneous navigation information, false warnings, reduced 
crew confidence in warning systems and crew distraction. 


During an emergency situation, crew members provide instructions to passengers 
regarding their safety. Many of those instructions will be significantly different to the 
normal announcements made during a flight and contain specific information and 


^ Balfe N. and Head T (2004). Passenger Use and Perception of Personal Electronic Equipment on 


Board Aircraft. International Journal of Applied Aviation Studies, 4, Number 2. FAA Academy, 
Oklahoma City, OK. 


—28- 


1.12.2 


instructions not normally provided to passengers. It is important for the safety of all 
passengers that these instructions are listened to and understood. Human attentional 
resources are a single-channel, filtered and limited resource? and PEDs have been 
shown in numerous research studies to have a significant distracting effect. In an 
emergency situation, such as an evacuation, actions need to be carried out quickly and 
there can be insufficient time for crew to be repeating information to passengers 
distracted by their PEDs. 


Passenger disembarkation 


The operator's Flight Crew Emergency Procedures Manual (FCEPM) categorised 
the emergency egress of an aircraft’s occupants into three basic classes: unprepared 
emergencies, prepared emergencies and precautionary disembarkation. Aside from 
an egress in the case of an unprepared emergency, the captain was responsible for 
determining which class of emergency egress was to be used. The highest level of 
urgency was an evacuation, where the crew were required to use all available exits, 
specific commands and set procedures to ensure that the aircraft was evacuated as 
rapidly as possible. This method of disembarkation also presented the greatest risk 
of passenger injury. ^ 


The FCEPM defined a precautionary disembarkation as an emergency situation 
where passengers are disembarked as quickly as is deemed safe, however, the pace 
of the disembarkation is slower in an effort to minimise potential injury to 
passengers or crew. The FCEPM also stated that this form of disembarkation can be 
upgraded quickly to a full evacuation if the circumstances change. 


As both the evacuation and the precautionary disembarkation methods of 
emergency egress were classed as ‘prepared on the ground’ emergencies, they both 
used a common initial alert to the cabin crew. This was achieved through a specific 
PA announcement that placed the cabin crew in the ‘alert phase". While in the 
alert phase, the flight crew were required to assess the safety of the aircraft, taking 
into account the internal and external environments and determine the type of 
egress to be used should an emergency egress become necessary. The alert phase 
may take several minutes while the flight crew carry out the applicable shutdown 
procedures and establish communications with the AES to obtain information on 
the external environment around the aircraft. 


Following the landing, the flight crew actioned the applicable evacuation checklist, 
assessed the information that had been provided to them by the AES and decided 
that a precautionary disembarkation using stairs would be the most appropriate and 
safest method. The captain briefed the CSM on the plan and addressed the 
passengers regarding the disembarkation. 


The initial plan was to use the main deck 1R door for the disembarkation and that 
door was disarmed in preparation for the arrival of a set of stairs. However, the 


5 Wickens, C.D. and McCarley, J.S. (2008). Applied attention theory. CRC Press: Boca Raton, FL. 


16 A safety study of emergency evacuations carried out by the US National Transportation Safety 


Board (NTSB/SS-00/01, 27 June 2000) found that 8 per cent of the people involved in the 
evacuations studied sustained injuries during evacuation (2 per cent serious and 6 per cent minor). 
A number of the injuries were related to the emergency type (for example, smoke inhalation from 
a fire) while others were directly related to the evacuation, such as fractures. 


" During the alert phase, all cabin crew were to remain at their assigned stations, with all doors 


armed. This allows the crew to immediately activate the escape slides should they be needed. 
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stairs were actually placed in position at the main deck 2R door. There were hurried 
communications between the cabin and flight crew to ensure that there was no 
accidental deployment of a door slide when main deck 2R door was opened. The 
flight crew also instructed the cabin crew to prevent any subsequent evacuation 
from the left side of the aircraft while the No. 1 engine continued to run. 


To ensure that passengers safely entered a controlled environment outside the 
aircraft and did not wander into areas where a significant hazard still existed, the 
disembarkation was carried out in a managed fashion by the AES. That 
management included passengers being disembarked from the aircraft in groups to 
fill a single bus load at a time. 


Observation: 


Given that there was no indication of an immediate threat to the safety of those on 
board, and that the option of an immediate evacuation remained throughout, the crew's 
decision to evacuate via the stairs likely provided the safest option. With the 
uncontrolled No. 1 engine, fuel leakage hazard and the large number of passengers, the 
airport emergency services action to control the passengers in proximity to the aircraft 
reduced risk to the passengers themselves, the crew and emergency services. 


Tests and research 


Simulation of the occurrence in a fixed base simulator 


Following the occurrence, Airbus conducted a simulator session to assess the 
aircraft's handling characteristics after the uncontained engine failure. That 
simulator session was carried out at the Airbus facilities in France during April 
2011 and included participants from Airbus, the Direction générale de l'aviation 
civile (DGAC)"®, the Bureau d’Enquétes et d' Analyses pour la sécurité de l'aviation 
civile (BEA) and, acting on behalf of the ATSB, one of the pilots from the 
occurrence flight. 


The simulations were carried out in an A380 fixed base simulator (that is, a 
simulator without motion capability) using a certified aerodynamic model. The 
simulator was connected to and controlled by actual computers of the standard 
fitted to the occurrence aircraft and were configured to represent the state of the 
aircraft during the return and landing after the event. There were a number of slight 
differences in how the systems were failed as compared to the effect of the 
uncontained engine failure (entire systems were failed rather than specific wires 
being disconnected or cut to simulate the damage from the liberated engine debris). 
According to the manufacturer, this did not change the characteristics, but may have 
affected the presentation of ECAM messages.” 


18 The DGAC is the French agency with responsibility for the regulation of civil aviation under its 


jurisdiction. 


19 The BEA is the French agency with responsibility for technical investigations into civil aviation 


accidents or incidents under its jurisdiction. The BEA was an accredited representative to the 
ATSB investigation under ICAO Annex 13. 


20 This was considered acceptable because the purpose of the session was not to examine the flight 


crew responses to the ECAM. 
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The design of the simulator set-up was aimed at replicating the occurrence aircraft's 
responses during the event as accurately as possible. The primary purpose of the 
simulation session was to assess the aircraft’ s: 


* flight envelope protections 
* handling qualities and controllability at a range of lateral fuel imbalances 


* control on the ground and required landing distance with maximum braking 
and full reverse thrust selected on No. 3 engine versus differential braking. 


In all cases the flight envelope protections functioned as anticipated. In addition, it 
was determined that the flight crew could maintain control of the aircraft in all fuel 
imbalance configurations tested. The effect on the aircraft's controllability in those 
configurations was rated as *minor'.^! 

Each of the simulator scenarios concluded when the aircraft had landed and come to 
a full stop. On each landing the flight crew applied maximum braking, with full 
reverse thrust applied to the No. 3 engine and directional control via the rudder 
pedals. On each occasion the simulated aircraft remained near the runway centreline 
and stopped in the second third of the runway with 1,000 to 1,500 m of runway 
remaining. 


Observation: 


The primary aim of the simulation session was to test the aircraft's handling qualities 
with the known airframe and systems degradation resultant from the uncontained engine 
failure. Despite significant system and structural damage following the uncontained 
engine failure, the simulation identified that the aircraft had sufficient redundancy to 
continue safe operation. 


Engineering analysis of the occurrence 


An engineering analysis by the airframe manufacturer applied the conditions from 
the event flight using the certified aircraft model, but with the following 
differences: 


* maximum braking effort was applied for the duration of the landing roll 


e full right thrust reverser was applied down to 75 kt, followed by idle 
reverse thrust until coming to a full stop (Flight Crew Operating Manual 
(FCOM) procedure). 


The total estimated landing distance was calculated in the manufacturer's analysis 
to be 2,300 m. This left a 1,700 m margin in the case of a landing on the 4,000 m 
runway 20C at Changi Airport. 


Observation: 


The difference between the manufacturer's engineering analysis of the landing distance 
and the actual aircraft stopping distance may primarily be attributed to the flight crew not 
applying maximum braking for the duration of the landing. As maximum braking effort 
was not required to stop the aircraft within the confines of the runway, the risks 
associated with maximum effort braking were reduced. 


^ Based upon the Cooper-Harper rating scale. The Cooper-Harper rating scale is a standardised 


aircraft handling quality rating scale that was developed by the US National Advisory Committee 
for Aeronautics (the predecessor to National Aeronautics and Space Administration (NASA)). 
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The landing distance performance application 


The onboard information system (OIS) could be operated through an onboard 
information terminal (OIT) that was incorporated into the captain's and first 
officer’s instrument panels, or through synchronised laptop computers stowed at 
each of the flight crew stations (Figure 24). The OIS included an operations library 
application that supported a complete suite of aircraft operations documentation, 
navigation charts, and performance applications. The performance applications 
enabled the flight crew to determine aircraft performance data including take-off 
and landing data. The program for determining landing performance was referred to 
as the landing performance application (LPA). Certain OIS functions, including the 
LPA, were also available on a third laptop computer stowed at the rear of the 
cockpit. 


Figure 24: Onboard information system 
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The pre-landing procedures required the flight crew to enter information into the 
flight management systems (FMS), including the intended approach and landing 
runway, the aircraft’s landing configuration and the weather conditions for the 
arrival airport. The FMS data, which included the aircraft’s weight and centre of 
gravity, as well as the ECAM list of any system failures that affected landing 
performance, were automatically synchronised with the captain's and first officer's 
OITs. The flight crew could manually modify the synchronised system data and add 
or remove data as required. 
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LPA operational logic 


In determining the landing distance, the LPA calculations accounted for aircraft 
system failures by multiplying the calculated landing distance by an applicable 
factor. The LPA also contained a degree of ‘conservatism’ through the application 
of an operational coefficient, to account for variations in landing technique between 
the average pilot and the ideal procedure. 


The manner in which that conservatism was applied by the LPA differed depending 
on whether the landing weight was above, or at or below, the maximum landing 
weight." When the weight was at or below the maximum landing weight, the 
operational coefficient was applied to each of the system failure factors. However, 
when the landing weight was above the maximum landing weight, the LPA only 
applied the operational coefficient once. That was, the operational coefficient for 
weights at, or below, the maximum landing weight was more conservative than for 
weights above the maximum landing weight. This could result in calculated landing 
distances that were greater for lower weights. 


LPA calculations during the occurrence 


During the preparations for landing, the additional flight crew attempted to 
determine the landing distance for a landing at Changi Airport runway 20C using 
the third laptop. They manually entered data including the aircraft's maximum 
landing weight,” the runway and weather conditions and nine inoperative aircraft 
systems. In calculating the landing distance, the LPA applied the additional 
operational coefficient, and therefore the inherent conservatism nine times, 
reflecting the number of inoperative aircraft systems entered. The landing distance 
calculated was greater than the landing distance available and the LPA provided a 
*no result' message. 


The crew recalculated the landing performance data, but this time used the actual 
aircraft weight. This revised calculation indicated that a landing on runway 20C was 
feasible, with 100 m of runway remaining. The crew elected to proceed on that 
basis. 


Flight envelope protection alerts during the final 
approach 


Reports from the flight crew and data from the FDR indicated that the aircraft 
activated three flight envelope protection alerts during the approach and landing. 
The first two were ‘low energy’ aural alerts, with the first being triggered as the 
aircraft passed 1,000 ft radio altitude (RA)? and the second at 362 ft RA. On each 
occasion the captain appropriately responded by increasing thrust. 


In an emergency, a landing above the aircraft's maximum landing weight was permitted, but 
required a subsequent maintenance inspection. 


The actual landing weight was 41 T in excess of the maximum landing weight. 


Altitude determined by radar altimeter. 
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The third warning, a stall warning associated with the aircraft's angle of attack, ^ 
was generated at 3 ft RA, immediately prior to the aircraft touching down on the 
runway. 


To prevent a loss of control from an aerodynamic stall, the A380 flight control 
system in NORMAL law included a number of low energy protections. Those 
protections were based on the angle of attack and included a low energy warning 
and alpha” floor. According to the FCOM: 


The objectives of the low energy alert and of the alpha floor function are to 
protect the flight path angle by providing means to achieve a proper level of 
energy: 


- The low energy alert is the first level of protection. It requires crew action, 
for manual thrust increase. 


- The alpha floor function is the second level of protection. It automatically 
sets maximum thrust. 


As a result of the damage to the aircraft systems, primarily the loss of the leading 
edge slats, the aircraft's control system reverted from NORMAL to ALTERNATE 
1A law. Although this included an ECAM message to advise the crew that the flight 
envelope protections had been lost, the only protection lost was alpha floor. Under 
ALTERNATE 1A law, the stall warning was restored." 


Post-accident analysis by Airbus identified that, as a result of the control system 
laws and the damage to the aircraft, all three warnings were genuine and that the 
flight envelope margins were maintained. 


Observation: 


The warnings produced by the aircraft's flight control computers were genuine and 
provided for the appropriate margins to avoid an aerodynamic stall during the approach. 


The increase in thrust setting by the captain, in response to the ‘low energy’ aural alerts, 
were in accordance with the operating procedures. 


Crew inability to shut down the engine 


Guidance material 


The guidance in ICAO Annex 14 — Vol 1 - Aerodromes included information 
regarding airport rescue and fire fighting services at an airport. Additional detailed 
guidance was provided in the ICAO Airport Services Manual, Part 1 — Rescue and 
Fire Fighting. Although neither publication included any material directly related 
to shutting down an uncontrolled engine, the following guidance was provided in 
the ICAO Airport Services Manual: 


^ Angle of attack is the angle of the wing relative to the oncoming airflow. 


26 Alpha (a) is used to represent angle of attack. 


27 Stall warning was not required for NORMAL law as the system would automatically provide the 
protection to prevent the aircraft from stalling. 


28 ICAO Document No. 9137 
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12.2.9 Confined turbine engine fires (jet). Fires confined to the 
combustion chambers of turbine engines are best controlled when the flight 
crew is in a position to keep the engine turning over and it is safe to do so 
from the viewpoint of aircraft evacuation and other safety considerations. Fire 
fighters will have to stand clear of the exhaust but may have to protect 
combustibles from exhaust flames. Fires outside the combustion chambers of 
turbine engines but confined within the nacelle are best controlled with the 
built-in extinguishing system. If the fire persists after the built-in system has 
been expended and the turbine shut down, halon or dry chemical may be used 
to attempt extinguishment. 


12.2.10 Foam or water spray should be used externally to keep adjacent 
aircraft structure cool. Foam should not be used in the intake or exhaust of 
turbine engines unless control cannot be secured with other agents and the fire 
appears to be in danger of spreading. 


12.2.11 Rescue and fire fighting personnel should stay at least 7.5 m from 
the intake of an operating turbine engine to avoid being sucked in, and 45 m 
from the rear to avoid being burned from the blast. 


12.3.24 Engine running. It is often necessary to keep at least one engine 
operating after the aircraft has come to a stop in order to provide lighting and 
communications aboard the aircraft. This will hamper aircraft rescue 
operations to some extent and consideration should be given to this problem. 


Previous industry occurrences 


The flight crew's inability to shut down the No. 1 engine on the ground increased 
the risk to firefighters, rescue personnel, and crew and passengers being evacuated 
or disembarked from the aircraft. There have been a number of previous events 
where a flight crew has been unable to shut down an engine and there were 
survivors or firefighters in attendance at the aircraft: 


1982 — A McDonnell Douglas DC10 had a runway excursion and entered a 
body of water adjacent to the airport. The nose of the aircraft was detached 
during the impact. The No. 2 engine remained in full reverse thrust for 
approximately 30 minutes during which time the evacuation of the aircraft 
took place. The thrust from the No. 2 engine interfered with the operation 
of the two rearmost slides.” 


1993 — A Boeing 747 departed the runway during the landing roll and 
entered an adjacent lagoon. The subsequent water ingress into the 
electronics bay in the nose rendered all control to the No. 1 engine 
inoperative. The No. 1 engine continued to run at above ground idle for 
some time until it was stopped by the local AES by drowning the engine 
using foam and water.” 


2000 — A Convair 580 turboprop departed the runway during the landing 
roll. The flight crew were unable to shut down the left engine as a result of 
damage to the aircraft. The crew attempted to use three different methods 


29 


30 


National Transportation Safety Board - Aircraft Accident Report - NTSB-AAR-82-15, World 
Airways, Inc, Flight 30H, McDonnell Douglas DC-10-30CF, N113WA, January 23, 1982. 


BEA Aircraft Accident Report — F-TA930913, Air France Boeing B747-428, 13 September 1993, 
Papeete-Faaa Airport, Tahiti. 
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of shutting down the engine, all of which were unsuccessful. The engine 
continued to run for 15 minutes during which time the passengers were 
evacuated from the aircraft. The engine finally stopped when it overheated 
due to a lack of lubricating oil.” 


2007 — During an engine run as part of pre-acceptance tests an 

Airbus 340 was severely damaged when the aircraft impacted engine-blast 
suppression walls surrounding the run-up bay. The cockpit of the aircraft 
was separated from the cabin and two engines continued to run and could 
not be stopped using either the engine FIRE push buttons or the engine 
master switches in the cockpit. One engine was able to be stopped 2 hours 
and 45 minutes after the accident by spraying water and foam into the 
intake. The other engine was too close to an external structure to be able to 
get sufficient water/foam sprayed into the intake to shut it down. It finally 
stopped 9 hours after the accident when the fuel supply in the feed tank was 
exhausted. 


Airport emergency services procedures 


At the time of the occurrence, the local AES did not have a procedure or guidance 
for shutting down an uncontrolled engine. 


After attempting all of the operational and engineering methods for shutting down 
the No. 1 engine, and following consultation with the operator, a decision was made 
to inject water and foam directly into the intake. Although the delivery rate of water 
alone was not sufficient to shut the engine down, the use of foam was successful at 
drowning the engine. 


Observation: 


Although the guidance material did not provide specific material on a process for 
shutting down an uncontrolled engine, it did include information on the precautions to be 
taken when an engine is operating. This provided a level of safety to rescue and fire 
fighting personnel and aircraft occupants in the case of an operating engine during an 
emergency response, as was the case with this occurrence. 


The implications of the continued running of the No. 1 engine were mitigated in this 
occurrence by the actions of the crew and emergency services personnel. There may be 
situations where this is not possible. Previous similar occurrences indicate that a 
number of airport emergency services either had a procedure, or determined a suitable 
means of shutting down an uncontrolled engine or protecting personnel while it 
remained running. 


Airport emergency services in general may benefit from reviewing their procedures to 
ensure that, should the nature of the emergency dictate, they have the capability and 
processes in place to be able to manage an uncontrolled engine. 


31 


32 


Transportation Safety Board — Aviation Occurrence Report — A00Q0133, Runway Excursion, 
Hydro-Quebec Convair Liner 340 (580) C-GFHH, 27 September 2000. 


BEA Aircraft Accident Report — Airbus A340-600, Registered F-WWCJ, 15 November 2007, 
Toulouse Blagnac Airport, France. 
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Crew performance 


A key aim of crew resource management (CRM) is to minimise or manage crew 
workload. The additional flight crew that were present on the flight deck during the 
accident flight were resources available to provide support to the primary flight 
crew of the captain and first officer. The primary flight crew processed the ECAM 
messages and followed procedures in accordance with their training. They used 
other flight crew members at opportune times to share tasks not essential to flight 
safety and gather information to assist in their decision making. This included 
communication with the cabin and obtaining information in relation to the damage 
to the aircraft. The operator's training regime is structured around a prescribed 
number of flight crew being present in the flight deck. In this case the presence of 
additional flight crew members did not interfere with the primary flight crew 
operating in accordance with their experience and training. 


CRM advocates a primary flight crew's use of all available resources including 
people, information and equipment. Therefore, the safe outcome of the accident 
flight was not only contingent on the primary and supporting flight crew but also on 
the efforts of the CSM and cabin crew. 


Salas and colleagues? provided guidance on the factors that make up a competent 
team from a CRM perspective (Table 7). 


Table 7: Identified CRM skills exhibited by a competent team 


CRM Skill Identified 


Definition 


Communication (also known as 
Closed-loop communication) 


Ability of two or more team members to clearly and 
accurately send and receive information or commands and 
to provide useful feedback. 


Briefing (Mission analysis, 
Planning) 


Ability of team members to develop plans of action by 
organising team resources, activities and responses to 
ensure tasks are completed in an integrated and 
synchronised manner. 


Backup behaviour (Advocacy) 


Mutual performance monitoring 
(Workload management) 


Ability of team members to anticipate the needs of others 
through accurate knowledge about each other's 
responsibilities, including the ability to shift workload 
between members to create balance during periods of high 
workload or pressure. 


Ability of a team member to accurately monitor other team 
members' performance, including giving, seeking and 
receiving task-clarifying feedback. 


Team leadership (Management) 


Ability of a team leader to direct and coordinate the 
activities of team members, encourage team members to 
work together; assess performance; assign tasks; develop 
team knowledge, skills and abilities; motivate; plan and 
organise; and establish a positive team atmosphere. 


Decision making (judgment, 
problem solving) 


Ability of team members to gather and integrate 
information, make logical and sound judgments, identify 
alternatives, consider the consequences of each 
alternative, and select the best one. 


? Salas, E., Prince, C., Bowers, C., Stout, R., Oser, R.L., & Cannon-Bowers, J.A. (1999). A 
methodology for enhancing crew resource management training. Human Factors, 41, p.163. 
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CRM Skill Identified 


Definition 


Task-related assertiveness 
(confidence, aggressiveness, 
authoritarian) 


Willingness/readiness of team members to communicate 
their ideas, opinions and observations in a way that is 
persuasive to other team members and to maintain a 
position until convinced by the facts that other options are 
better. 


Team adaptability (flexibility) 


Ability of team members to alter a course of action or adjust 
strategies when new information becomes available. 


Shared situation awareness 
(shared mental models, situation 
assessment) 


Ability of team members to gather and use information to 
develop a common understanding of the task and team 
environment. 


Overall, the flight and cabin crew behaviours on the occurrence flight were 
consistent with the behaviours identified above, indicating that both the flight crew 
and cabin crew could be classified in this instance as a team performing to the level 
of a competent team. The majority of skills defined were exhibited on the flight 
deck and in the cabin of the aircraft during the accident flight. Examples of these 


behaviours included: 


e The captain (in conjunction with the rest of an experienced flight crew) 
made critical decisions regarding aircraft controllability, completion of the 
ECAM procedures, preparing for return and landing of the aircraft and 
passenger disembarkation. 


e The CSM dealt efficiently and effectively with a minor medical issue 
involving a passenger and their medication, and ensured that all cabin crew 
were aware of the developing situation and what their duties entailed by 
personally visiting each station and briefing all crew. 


e The CSM reported controlling the communications between the flight deck 
and cabin to maintain one point of contact. 


* Communication between all crew members and between crew and the 
passengers was rapid, thorough and provided the necessary information to 
keep all fully informed. 


* Flight crew and cabin crew worked very well together within and across 
their teams to ensure the safe outcome from an emergency situation. 


Observation: 


On the flight deck, the supporting flight crew provided valuable input and assistance to 
the primary flight crew—in terms of conducting PA announcements, liaison with the 
cabin crew and visual observations of damage. 


Although the additional flight crew were a valuable resource, had they not been 
available the primary flight crew would have likely responded to the situation in a similar 
manner. However, the gathering of information to assist in decision making would have 
required the use of alternative resources and methods. This may have resulted in 
prolonging the airborne time before landing or it is also possible that the flight crew may 
have shed tasks not essential to flight safety. This was unlikely to have affected the 
safety of the flight because the crew's training and the aircraft manufacturer's 
procedures required them to complete prescribed tasks before attempting to land. 
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Aircraft certification 


Certification of any product indicates that it complies with a recognised standard. 
For an aviation product, such as an aircraft or aircraft engine, the recognised 
standard is a design standard prescribed by a relevant National Airworthiness 
Authority (NAA). For the Airbus A380 airframe and the Trent 900 engine, the 
NAA was the European Aviation Safety Agency (EASA). 


When a design organisation wishes to produce a new aircraft product, they make 
application to the relevant NAA for a type certificate. There are basically four 
phases to the type certification process: ” 


e The standard by which the aircraft product will be assessed is negotiated 
and established. That agreed standard comprises the applicable 
airworthiness codes established by the NAA and any special conditions 
under which the type certification application will be assessed. This 
standard will not change for that aircraft product, even if the design 
standard changes after the standard has been agreed upon. 


e The NAA and the applicant agree on the certification program. The 
application is generally limited to a specific time period, ? during which the 
design organisation must establish that the proposed aviation product is in 
compliance with the agreed design standard. 


e Compliance with the standard is demonstrated through the completion of 
the certification program. 


* Onsuccessful completion of the certification program, a number of 
documents relating to the results of the certification program as well as 
continued airworthiness are developed and submitted. Finally, the NAA 
issues a ‘Type Certificate’. The type certificate is a document which, along 
with the Type Certificate Data Sheet (TCDS) and referenced documents, 
defines the aircraft product and any limitations associated with its 
operation. 


At the time of the certification application for the A380 and Trent 900, certification 
oversight and regulation was being transitioned from the European Joint Aviation 
Authorities to EASA. With respect to the A380, the Type Certificate was issued on 
12 December 2006 and the TCDS noted that the relevant certification standard was 
Joint Aviation Regulation (JAR) Parts 1 and 25 at change 15.” 


? National Airworthiness Authorities are government statutory authorities in each country that are 


responsible for the certification of aircraft as part of their duties. For example, in Australia the 
Civil Aviation Safety Authority is the NAA, in the United States the Federal Aviation 
Administration (FAA) is the NAA, and so on. 


3 The FAA and Industry Guide to Product Certification (2 ed.) Federal Aviation Administration: 


2004. Available at http://www. faa.gov/aircraft/air_cert/design_approvals/media/cpi_guide_ii.pdf. 


36 The codes are typically those which are effective on the date of the application. 


? Special conditions are often prescribed for novel or unusual design features, or where the 


regulations do not contain adequate or appropriate safety standards. 


°8 For large aircraft, this period is normally 5 years. 


? The TCDS for the A380, A.110, identified the certification application date for the accident 


aircraft type as 20 Dec 2001 and the certification date as 12 December 2006. 
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The A380 was also issued with a US FAA Type Certificate on the same date, which 
noted that the applicable certification standard was US Code of Federal 
Regulations, Title 14 Aeronautics and Space Part 25 Airworthiness Standards: 
Transport Category Airplanes (14 CFR 25).^ 


Airframe certification - Uncontained Engine Rotor Failure 


The certification standard for Uncontained Engine Rotor Failure 


The section of the European and US airframe design certification standards for the 
Airbus A380 that dealt with Uncontained Engine Rotor Failure (UERF) were 
respectively JAR 25.903 and 14 CFR 25.903(d)(1). Both standards stated: 


(d) Turbine engine installations. For turbine engine installations — 


(1) Design precautions must be taken to minimise the hazards to the 
aeroplane in the event of an engine rotor failure ... 


Advisory material, AMJ 20-128A and AC 20-128A, both titled Design 
Considerations for Minimizing Hazards Caused by Uncontained Turbine Engine 
and Auxiliary Power Unit Rotor Failure, was provided by both EASA and the 
FAA, describing a method of demonstrating compliance with the requirements of 
JAR 25.903(d)(1) and 14 CFR 25.903(d)(1) respectively. This advisory material 
included guidance on design precautions aimed at minimising the hazards to an 
aeroplane resulting from a UERF. The AMJ and AC both stated: 


These guidelines are based on service experience and tests but are not 
necessarily the only means available to the designer. 


AMJ 20-128A was used by the aircraft manufacturer to show compliance of the 
A380 aircraft design with the requirements of JAR 25.903(d)(1).^' 


The non-containment of significant high-energy debris resulting from a UERF was 
defined as a ‘hazardous effect’ under JAR — Engines (JAR-E), Section 2 Acceptable 
means of compliance and interpretations, Advisory Circular - Joint (ACJ) 

E 510.42. ACJ E 510 required the likelihood of a failure resulting in a ‘hazardous 
effect’ to be ‘extremely remote’, which in turn was to be based on a predicted 
probability of occurrence of not more than 10? per hour of engine operation (or one 
event in every 100,000,000 hours of engine operation). 


Although the probability of a UERF event is considered extremely remote, the 
advisory material was based on the premise that a UERF had occurred. Analysis of 
the effects of that UERF were then necessary, and additional methods of hazard 
minimisation were required to reduce the effect of a UERF on the aircraft. 


? FAA Type Certificate AS8NM 


^ JAR 25 and AMJ 20-128A have since been superseded by EASA certification specification 
(CS) 25 and Acceptable Means of Compliance (AMC) 20-1284, respectively. The content of 
those documents was, for all intents and purposes, the same. JAR 25 and AMJ 20-128A remain 
applicable to the A380 as its certification basis. 


? For installation on a Transport Category aircraft, JAR-25 required that engines were Type 


Certificated to JAR-E. 
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The advisory material provided a description of a safety analysis, the objective of 
which was to minimise the hazards to the aircraft. The safety analysis includes the 
use of and assessment of practical design considerations and precautions, and a 
numerical assessment of the residual risk, ? based upon a fragmentation model. If 
the airframe design meets the objectives of the safety analysis, then it has 
minimised the hazards from a UERF and therefore, meets the certification 
requirement. 


The safety analysis accepted that after a UERF event: 


Some degradation of the flight characteristics of the aeroplane or operation of 
a system is permissible, provided the aeroplane is capable of continued safe 
flight and landing. ^ 


The practical design considerations included the placement of critical components, 
where practicable, outside of the areas subject to UERF debris. Where this is not 
practical, the designers were to reduce the risks by practices such as system 
multiplication, redundant multipath wiring and the use of shielding from the 
airframe or supplemental shielding. Specific accepted design precautions included: 


* Fire warning and extinguishing systems. Following a UERF event, the fire 
warning systems of all engines should continue to be operational and the 
extinguishing systems of the remaining engines should also remain 
operational. 


e Flammable fluid shut-off valve. The guidance identified that the only 
effective means of extinguishing an uncontrolled engine fire following a 
UERF event may be to shut off the supply of all flammable fluid to that 
engine. Therefore, the operation of the isolation valves for fuel and 
hydraulic fluids should be assured. This required the designer to locate 
these isolation valves outside of the UERF impact areas for an engine, and 
ensure that any valve actuation controls that were routed through the impact 
areas were redundant and appropriately separated. 


The numerical assessment of the residual risk examined a number of fragmentation 
scenarios. Associated with each scenario was a specific hazard ratio that identified 
the probability that the scenario in question could result in catastrophe.^ The 
assessment required the designer to plot fragment trajectories from each of these 
scenarios, calculate the probability of a catastrophic outcome, and show that this 
probability was less than the specified ratio. 


For other than the duplicated or multiplicated systems, that were contained within a 
specific debris impact area, the safety analysis was predicated upon assessment of 
the trajectory of a single one-third disc fragment, a single intermediate fragment and 


^ Residual risk is the risk remaining after all practical design considerations have been taken to 


minimise the hazards from the effects of a UERF. 


AMJ 20-128A defined ‘continued safe flight and landing’ as: ‘the aircraft is capable of continued 
controlled flight and landing, possibly using emergency procedures and without exceptional pilot 
skill or strength with conditions of considerably increased flight crew workload and degraded 
flight characteristics of the aeroplane.’ 


^ Defined under JAR 25.1309 and associated guidance as a failure condition that would result in 


multiple fatalities, usually with the loss of the aeroplane. 
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a limited percentage of small fragments. ^? Each of the fragment sizes had a specific 
spread angle that defines their relevant impact areas. The spread angle was the 
angle measured, fore and aft, from the plane of rotation of the failed rotating disc. 
Each of the scenario assessments was conducted separately. 


Evolution of the Acceptable Means of Compliance 


The guidance material, providing an acceptable means of compliance, reflected the 
evolving knowledge base gained from service experience. This included several 
aircraft accident investigations conducted by the US National Transportation Safety 
Board (NTSB). 


On 22 September 1981 a McDonnell Douglas DC-10 sustained structural and 
systems damage following a UERF event during the take-off roll at Miami 
International Airport, Florida. The flight crew rejected the takeoff and safely 
stopped the aircraft. There were 15 crew and 71 passengers on board and there were 
no injuries. ^ 


As a result of this accident, on 16 April 1982, the NTSB issued recommendation 
A-82-038 to the US Federal Aviation Administration (FAA), which stated: 


The NTSB recommends that the Federal Aviation Administration: expedite 
the publication of guidance material for acceptable means of compliance with 
14 CFR 25.903(d)(1), which includes compliance documentation by failure 
mode and effect analysis, provides for rotor fragment energy levels and paths 
based on cases of severe in-service damage, and reflects advances in 
analytical techniques and concepts which have taken place since certification 
programs of the early 1970's. 


In response to this recommendation, on 9 March 1988 the FAA issued Advisory 
Circular (AC) 20-128 Design Considerations for Minimizing Hazards caused by 
Uncontained Turbine Engine and Auxiliary Power Unit Rotor and Fan Blade 
Failures. The NTSB closed the recommendation on 24 May 1988, stating that: 


The Safety Board has accepted the FAA's Advisory Circular (AC) 20-128 as 
fulfilling the technical aspects of A-82-38. This safety recommendation has 
been classified as "Closed--Acceptable Action." 


On 19 July 1989 a UERF event occurred on a McDonnell Douglas DC-10 during 
cruise, which resulted in the loss of all hydraulic systems that powered the aircraft's 
flight controls. The flight crew experienced severe difficulties controlling the 
aircraft, which subsequently crashed during an attempted landing at Sioux Gateway 
Airport, Iowa. There were 11 crewmembers and 285 passengers on board. One 
flight attendant and 110 passengers were fatally injured. ^ 


^5 AMJ 20-128A permitted the use of an alternative model that examined a single one-third fragment 


in place of the one-third disc fragment and intermediate fragment scenarios, but over a greater 
impact area. 


^ National Transportation Safety Board. Aircraft accident report: NTSB/AAR-82-3, Air Florida 
Airlines, Inc. McDonnell Douglas, Inc., DC-10-30CF, N101TV, Miami International Airport, 
Miami, Florida, September 22, 1981. 


48 National Transportation Safety Board. Aircraft accident report: NTSB/AAR-90/06, United 
Airlines Flight 232, McDonnell Douglas DC-10-10, Sioux Gateway Airport, Sioux City, Iowa, 
July 19, 1989. 
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During its investigation of the accident the NTSB issued a series of safety 
recommendations that were targeted at uncontained engine failures. One of those 
recommendations concerned improving the advisory material concerning the 
minimisation of hazards resulting from UERFs. 


Recommendation A-90-170 stated: 


The NTSB recommends that the Federal Aviation Administration: analyze the 
dispersion pattern, fragment size and energy level of released engine rotating 
parts from the July 19, 1989, Sioux City, Iowa, DC-10 accident and include 
the results of this analysis, and any other peripheral data available, in a 
revision of AC 20-128 for future aircraft certification. 


In response to this recommendation, on 25 March 1997 the FAA issued 

AC 20-128A Design Considerations for Minimizing Hazards caused by 
Uncontained Turbine Engine and Auxiliary Power Unit Rotor Failure. This AC 
was harmonised with the guidance provided by the European Joint Aviation 
Authorities and cancelled AC 20-128. On 26 August 1997, the NTSB classified 
A-90-170 as ‘closed--acceptable action’, based on the FAA's actions. 


Service experience relating to UERFs 


Another recommendation from the Sioux Gateway Airport DC-10 accident 
investigation, A-90-172, stated: 


The NTSB recommends that the Federal Aviation Administration: create the 
mechanism to support a historical data base of worldwide engine rotary part 
failures to facilitate design assessments and comparative safety analysis 
during certification reviews and other FAA research. 


In response to this recommendation, on 10 September 1998 the FAA advised the 
NTSB that: 


The FAA will preserve & retain the overall data base for uncontained engine 
failures generated under the aircraft catastrophic failure prevention program. 
The data will be available for future design assessments, safety analyses, & 
research. 


On 8 December 1998 the NTSB classified A-90-172 as ‘closed--acceptable action’, 
based on the FAA's actions. 


In addition the Aerospace Industries Association conducted a study of uncontained 
rotor failures and their consequences over the period 1969 to 2006. The study’s 
findings were released in a report in January 2010.“ The intent of the report was to 
provide ‘a single rotor burst database for high bypass turbofans, as recommended 
by the NTSB recommendation A-90-172’. 


The report found that there were 67 recorded disc burst events in the period studied, 
of which 58 were uncontained by the engine nacelle. A breakdown of those failures 


? Aerospace Industries Association (AIA), AIA report on high bypass ratio turbine engine 


uncontained rotor events and small fragment threat characterization 1969 - 2006, Volume 1, 
January 2010. Available at: 


http://www.aia-aerospace.org/assets/aia_rotor_burst_small fragment committee report voll.pdf 
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indicated that 46 involved first generation” engines and 12 second generation 
engines. The second generation engines were ‘those designed in the 1980s with the 
understanding and incorporation of Lessons Learned from the first generation." 


The failure of the No. 2 engine on VH-OQA was the first UERF involving a third 
generation engine. Third generation engines were those ‘designed to incorporate the 
Lessons Learned from the second generation." 


50 ibid. pg 21. ‘First generation’ Turbofan engines that were designed in the late 1960s. These 


include: the JT9D, RB211-22B, and the CF6-6, CF6-50 and CF34-3. 


51 ibid. pg 21. ‘Second generation’ turbofan engines include: PW2000, CFM56-2, CFM56-3 and 


CFM56-5, and RB211-5XX. 
52 Tbid. pg 21. ‘Third generation’ turbofan engines include: GE90, CFM56-7, CF34-10, PW4000 and 


RB211 Trent series. 
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FACTUAL INFORMATION: ENGINE 


2.1 


2.1.1 


Part 2 of this report focuses on the aircraft's No. 2 engine that sustained an 
uncontained failure on 4 November 2010. Information is provided on the structure 
of the engine and the damage resulting from the uncontained failure that will 
provide a background for understanding the engine failure sequence as described in 
Part 3. 


Trent 900 description 


Mechanical arrangement 


The Trent 900 is a three-shaft, high-bypass ratio turbofan engine with variants 
ranging in maximum thrust from 334.3 kN (75,152 Ib) to 374.1 kN (84,098 Ib). The 
three primary rotating assemblies in the Trent 900 are (Figure 25): 


* alow pressure (LP) compressor (fan) connected by a shaft to a five-stage 
LP turbine 


* anintermediate pressure (IP) compressor connected by a shaft to a single 
stage IP turbine 


* a high pressure (HP) compressor driven by a single-stage HP turbine. 


Each rotating assembly was supported by bearings at the front and rear of each 
shaft. 


The No. 2 engine on VH-OQA was a Rolls-Royce Trent 972-84 variant, with the 
engine serial number (ESN) 91045. The engine's rated maximum take-off thrust 
was 341.4 kN (76,752 Ib). 


Figure 25: Trent 900 main rotating assemblies 
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Image source: Rolls-Royce RB211-Trent 900 Line and Base Maintenance training guide 


The Trent 900 is of modular construction and includes a separate module for the IP 
turbine, referred to as module 05 (Figure 26). 
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Figure 26: Trent 900 modular breakdown (IP turbine highlighted in red) 
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Image source: Rolls-Royce RB211-Trent 900 Line and Base Maintenance training guide 


The IP turbine module consists of the IP shaft, IP turbine disc and blades, IP nozzle 
guide vanes (NGVs),? LP stage 1 NGVs, IP turbine case, LP turbine front panel, 
HP and IP bearings, and the HP/IP bearing support structure (Figure 27). 


Figure 27: IP turbine module 
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Image source: Rolls-Royce RB211-Trent 900 Line and Base Maintenance training guide 


? Nozzle guide vanes are fixed structures that direct the airflow into the turbine at the correct angle. 
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The HP/IP bearing support structure provides radial and axial location support for 
the HP and IP bearings. The bearings are located in a hub structure that encloses an 
oil fed bearing chamber. That hub is connected to the IP turbine case through a 
strutted ring structure that has a front and rear panel. The support struts pass 
through the IP turbine NGVs. 


Spaces within the IP turbine module are supplied with compressed air from various 
engine compression stages to provide cooling or sealing functions (see the different 
coloured regions in Figure 28). For example, the HP stage 3 (HP3) air™ in the space 
around the IP turbine disc (coloured pink in Figure 28) provides cooling for the IP 
turbine disc. The air/oil mix that is contained within the HP/IP bearing chamber 
(coloured light green) is separated from the relatively hot HP3 air by a buffer space 
(coloured dark yellow). The buffer space surrounding the HP/IP bearing chamber is 
supplied with cooler IP stage 8 (IP8)” air and under normal circumstances is free 
from oil (Figure 28). 


°4 Bleed air taken from the third stage of the HP compressor. 


°° Bleed air taken from the eighth stage of the IP compressor. 
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Figure 28: Side view through the Trent 900 (regions of differing air pressure 
and temperature indicated by differing colours) 
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Image modified from a Rolls-Royce plc supplied model 


A number of pipes pass through the HP/IP structure to service the bearing chamber. 
These service pipes pass through the inside of the IP turbine NGVs to variously: 
supply IP8 air to the buffer space, vent air from the bearing chamber, supply oil to 
the bearing chamber and scavenge oil from the chamber (Figure 29). 
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Figure 29: Bearing chamber service pipes in HP/IP support structure 
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Note: The above view is from the rear of the HP/IP support structure and the rear panel of 
the structure has been removed for clarity. 


The oil feed, scavenge and vent pipes pass through clearance holes in the outer hub, 
then through the buffer space and were secured to the inner hub by an interference 
fit^? and end welded (Figure 30). These pipes differ from the IP8 air pipes as they 
have an extension, referred to as a stub pipe, to account for the additional length 
required to reach the inner hub. An integral filter in the oil feed stub pipe was 
included with the intent of preventing oil contaminants entering the HP/IP bearings. 


To accommodate the filter in the oil feed stub pipe, the inner hub end of that pipe 
has an enlarged inside diameter (Figure 31). 


56 An interference fit is where the outside of the pipe is slightly larger than the inside of the hole. The 
pipe is forced into the hole during manufacture and the associated friction assists in retaining the 
pipe in place. 
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Figure 30: Cross section of a generic HP/IP hub with a service pipe 
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Figure 31: Cross section of a generic HP/IP hub with an oil feed stub pipe 
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The IP turbine disc was constructed from a high-strength, heat-resistant nickel alloy 
and was designed to transmit the loads generated by the IP turbine blades to the IP 
drive shaft. The disc was connected to the IP drive shaft through an extension to the 
disc, referred to as the ‘drive arm’ (Figure 28). The drive arm had a number of holes 
to allow the HP3 cooling air to flow from the front to the back of the disc. Those 
holes (R850) were located close to the bolted connection to the IP shaft, 
immediately behind the triple seal at the back of the bearing chamber. 


2.1.2 Engine control 


The Trent 900 is controlled using a full authority digital engine control (FADEC) 
that controls the thrust level of the engine as demanded by the aircraft's control 
systems. The FADEC consisted of an engine electronic controller (EEC), and a 
number of sensors and controller systems. Based on the inputs from a number of 
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2.1.3 


engine and aircraft sensors, the EEC computes and commands a number of 
controller systems on the engine. 


The FADEC performs a number of functions, including: 
* control of engine start 


e fuel and airflow control in response to thrust demand and the environmental 
conditions 


* scheduling of thrust levels as required by the aircraft systems 
e engine protection 
* recovery from engine surge 


e the provision of information to the aircraft for control, recording and 
display purposes. 


Engine protection functions 


The FADEC provides a number of engine protection functions. Of these, the ATSB 
was particularly interested in the engine overspeed protections and turbine overheat 
detection. The following discussion examines those functions. 


Overspeed protection 


The engine's three primary rotating assemblies are not directly connected to each 
other and operate at different rotational speeds. The speed of each rotating assembly 
is denoted by N1, N2 and N3 for the LP, IP and HP assemblies respectively. These 
speeds are represented as a percentage, with 10096 representing a defined speed 
datum value set during the engine design. Each assembly's maximum certified 
speed (referred to as the redline speed) for normal operation has been approved for 
each of the rotating assemblies, based upon the results of testing. 


The engine's rotating assemblies were designed and tested for in-service 
operational conditions and to meet the certification standards. The rotating 
assemblies were designed to operate at rotational speeds above the redline speed for 
very short periods without the forces generated by rotation exceeding the structural 
capability of the rotating assemblies.” Operation at speeds above the redline speed 
is termed an overspeed. 


An overspeed that exceeds the structural capability of a rotating assembly can 
create a hazardous situation in which the rotational forces exceed the strength of the 
structure, leading to its fracture. If any high-energy debris cannot be contained 
within the affected engine case, a hazardous event can occur as a result of that 
ejected debris further damaging the aircraft. 


The Trent 900 FADEC provided a number of overspeed protections to minimise the 
risk of such an event. 


The LP overspeed protection system provides two protection functions, against LP 
rotor assembly overspeed and LP turbine overspeed. LP rotor assembly speed, or 
N1, is measured at the front and rear ends of the LP shaft. If the speed sensors 


?7 Forces are generated within a rotating object, the higher the rotational speed, the greater the forces 


generated. 
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detect an overspeed event, the FADEC commands the fuel flow to the combustion 
chamber to stop. Combustion ceases and N1 reduces. 


If the LP shaft fails, there would be a difference between the speed at the front 
(compressor end) and rear (turbine end) of the affected shaft. A shaft failure could 
result in a turbine overspeed because the core airstream continues to apply a load to 
rotate the turbine, but the load would not be balanced by the load required to turn 
the LP compressor. To protect the LP turbine from such an event, the FADEC 
monitors the difference in the speed between the front and rear LP shaft speed 
sensors. If the FADEC detects a difference between these sensors, the LP turbine 
overspeed system (LPTOS) activates and shuts off the fuel flow to the combustion 
chamber. Combustion stops and any overspeed of the unrestrained LP turbine 
would be limited. 


The IP rotor assembly overspeed protection system has speed sensors at the 
compressor end of the IP turbine shaft. It operates in a similar manner to the LP 
rotor assembly overspeed protection system, but does not provide for the turbine 
overspeed protection function in the event of an IP shaft failure. During the design 
of the engine, it was understood that this protection was not required because the 
expected engine behaviour would prevent a hazardous overspeed of the IP turbine 
in the event of a shaft failure. Further detail of this engine behaviour is provided in 
section 2.4 of this report. 


There is no specific HP overspeed protection function to interrupt the fuel supply in 
a similar manner to the LP and IP systems. The HP shaft system was designed and 
certified on the basis that failures of the shaft would not lead to a hazardous 
overspeed. 


Turbine overheat detection 


The FADEC’s turbine overheat detection function monitors the temperature around 
the IP turbine. The system consists of two temperature sensors located in the spaces 
to the front of the HP/IP support structure (TCAF)” and to the rear of the LP 
turbine front panel (TCAR)” (Figure 28). If either of these sensors detect a 
temperature in excess of the predetermined overheat limit, the FADEC sends a 
message to the relevant aircraft system for it to display a ‘turbine overheat’ warning 
on the engine/warning display in the cockpit. No change is made to an engine's 
operation by the FADEC as a result of the identification of a turbine overheat. Any 
subsequent precautionary actions are the responsibility of the flight crew. 


2.1.4 Engine surge 


The compressor section of a jet engine increases the pressure of the air delivered to 
the combustion chamber. The compressors in the Trent 900 are made up of a 
number of stages of rotating and static aerofoils (or blades and vanes respectively). 
Steady flow through the stages of a compressor occurs within a relatively narrow 
band of conditions. If the conditions inside a compressor go outside of this band due 
to an operating condition or a disturbance, the flow around the blades can break 


8 Turbine cooling air front. 


*? Turbine cooling air rear. 
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2.2 


2.2.1 


down in a manner known as a stall. In this instance, the blades would no longer 
effectively compress the air. 


A stall could be a local phenomenon, where a small region of stalled flow rotates 
around the compressor (a rotating stall), or could affect the entire compressor (a 
locked stall). If the breakdown of flow in a compressor stall is significant enough, 
the pressure change within the engine could be sufficient to reverse the flow 
through the compressor in a phenomenon known as a 'surge'. A surge is 
characterised by a rapid drop in HP compressor delivery pressure (in the Trent 900 
engine this is denoted as P30) and is often associated with a loud bang, or series of 
bangs, that can be heard in the aircraft. Sometimes a flame can be observed at the 
core engine inlet and exhaust as combustion products are expelled from the 
combustion chamber. If action is not taken immediately, the surge can cycle 
between normal and surge flow, potentially resulting in damage to the engine and 
loss of engine thrust. 


In the normal operation of a modern FADEC-controlled engine, surges are not 
common. The Trent 900 FADEC includes a surge recovery function that includes 
opening the bleed air valves and reducing the fuel flow.” 


No. 2 engine on VH-OQA 


Engine serial number (ESN) 91045 was manufactured in the United Kingdom in 
June 2006 and initially fitted to the No. 4 position on VH-OQA at the Airbus 
factory in France. The aircraft was subsequently released into service on 

18 September 2008. 


The aircraft's maintenance documentation was reviewed in relation to the in-service 
operation of ESN 91045, including its oil usage. This review established that the 
engine had similar engine operation and oil consumption characteristics compared 
to the other engines fitted to the aircraft and throughout the operator's Trent 900 
powered fleet. 


Significant service history 


In September 2009, after 3,418 hours and 416 cycles of operation, metal debris was 
detected in the oil of ESN 91045. The engine was removed from the aircraft and 
sent to a manufacturer-approved service facility for examination. 


The metal in the oil was found to have originated from a bearing in the LP system. 
The bearing was replaced and, while the engine was at the service facility, a number 
of other servicing items were addressed. This included the replacement of the HP 
and IP turbine bearings, inspection of the IP turbine disc, replacement of the HP 
turbine disc and inspection of the HP/IP bearing support assemblies. The only 
defects detected during the inspections were excessive wear in a number of the 
HP/IP bearing chamber service pipes. That wear was at the point where the fittings 
exit the IP turbine case, and was rectified by replacement of the pipe ends via a 
manufacturer-approved repair scheme. 


6 The primary purpose of the reduced fuel flow is to move the compressor operating conditions 


away from stall, restore stable compressor airflow and therefore prevent over-temperature of the 
gases in the combustion chamber. Any over-temperature of the combustion chamber gases could 
damage the turbine blades. 
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2.3 


The replacement of the bearings and other work was the last significant service 
activity on the engine prior to the uncontained failure. 


Following the rectification work, the engine remained in storage until 24 February 
2010 when it was fitted to the No. 2 position on VH-OQA. The engine remained in 
service in this position until the uncontained engine failure. At the time of the 
failure, the engine had accumulated a total of 6,314 hours in service and 677 cycles. 


Observation: 


The investigation did not identify any link between the maintenance performed on the 
engine and the uncontained engine failure. 


Damage to the engine 


The primary damage to the engine occurred in the region of the IP turbine. An 
initial *on-wing' visual examination of the engine identified that the entire 
circumference of the case around the IP turbine was breached and that the IP 
turbine disc was missing (Figure 32). The thrust reverser cowl and cold airstream*' 
duct fairings sustained significant damage and the section of the thrust reverser 
cowl and cold airstream fairings to the rear of the primary damage had separated 
from the engine. 


Figure 32: General damage to the engine (looking outboard) 
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The engine was disassembled in a manufacturer approved service facility under the 
supervision of the ATSB. 


8! There are two primary air streams through the engine: the ‘cold’ and ‘hot airstreams’. The air that 


passes through the fan only, and is ducted around the core of the engine is termed the cold 
airstream. The hot or core airstream passes through the fan and engine core, which consists of the 
intermediate and high pressure systems, the combustion chamber and the low pressure turbine. 
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Further damage to the engine was identified during that disassembly including three 
large perforations to the LP turbine front panel that were approximately equally 
distributed around the circumference of the panel (Figure 33). The first stage LP 
turbine blades, in three equally distributed locations, were also damaged. 


Figure 33: LP turbine front panel damage 
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Note: The above view is from the rear of the engine, looking forward. 


Damage was also identified between the HP/IP bearing support structure and the 
HP turbine. This included scoring of the HP turbine disc and significant damage to 
the triple seal. The rotating and static portions of the HP turbine triple seal had 
separated from their support structures (Figure 34), fractured and then entwined 
within each other (Figure 35). There was a rough, grey deposit on the surfaces 
within module 05 near the HP turbine shaft that was identified as melted and 
resolidified metal. 


—-B55- 


Figure 34: Location of the HP turbine triple seal 
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Image modified from a Rolls-Royce plc supplied model 


Figure 35: Damage between the HP/IP structure and HP turbine 
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Examination of the IP shaft found that a remnant of the IP turbine drive arm bolting 
flange was still attached to the drive shaft (Figure 36). The IP turbine drive arm had 
separated from the bolting flange at the R850 cooling holes. There was a significant 
amount of heat damage and erosion in and around these cooling holes and the 
surfaces were coated in rough melted/resolidified material. Although much of the 
surface was damaged by metal-to-metal contact, sections of the original fracture 
surface were examined and found to be consistent with tensile and shear overstress. 
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The HP/IP bearing chamber triple seal and the rear rotating triple seal between the 
IP and LP turbines showed a significant amount of erosion and heat damage 
(Figure 37). The flange of the rear rotating triple seal also contained erosion pits 
immediately behind each of the R850 cooling holes. 


Figure 36: Damage to IP drive shaft 
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Figure 37: Location of the triple seals 
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Image modified from a Rolls-Royce plc supplied model 


The section of the IP turbine disc that was recovered from Batam Island, Indonesia 
(Figure 12) was examined in detail by the engine manufacturer under the 
supervision of the ATSB. This section of disc consisted of about 43% of the total 
disc and weighed about 70 kg. In addition, two radial fractures in the disc and a 
circumferential fracture in the drive arm were identified (Figure 38). The 
examination found that all of the fractures were consistent with an overstress of the 
material. There was no evidence of any pre-existing material defect or damage that 
contributed to the fractures. 
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The rear face of the disc contained a circumferential wear groove in the radius 
where the disc transitions to the drive arm. This wear groove was consistent in size 
and location with the forward flange on the LP turbine front panel. 


Figure 38: Recovered section of IP turbine disc - looking forward (radial 
fractures labelled ‘A’ and ‘B’) 
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The drive arm was bent outward by approximately 90? (Figure 39). Metallurgical 
examination of the drive arm found changes in the material that were consistent 
with its exposure to high temperatures (in excess of 1,125 ?C). The portion of the 
drive arm remaining on the disc did not contain any remnants of the R850 cooling 
holes. The separated portion of the drive arm, which would likely have contained 
those remnants, was not recovered. 


Figure 39: Comparison of a diagrammatic representation of the IP turbine disc 
with the recovered segment of the disc 
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The disc segment exhibited a significant amount of overall deformation. There was 
an average radial growth of about 19 mm and the blade restraint (firtree) slots had 
opened by 0.3 to 0.4 mm when compared to the manufacturer's specifications. 


There were no complete turbine blades in the recovered section of the disc. 
However, a number of blade root remnants were recovered from that disc section, 
as well as from Batam Island and various locations in the aircraft structure. No 
evidence of any pre-existing defects or damage was identified on any of these blade 
root remnants. All damage was consistent with having resulted from the 
uncontained failure. 


The HP/IP bearing hub and structure exhibited a significant breach of the outer 
bearing hub (Figure 40), which was also associated with a bulging of the area. 
Portions of the hub had a coating of the rough melted/resolidified material observed 
in other areas. The outer hub was breached in the upper-right quadrant, extending 
down to the vicinity of the oil feed stub pipe (not visible in Figure 40). 


Figure 40: Damage to the HP/IP hub structure 
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The oil feed stub pipe had detached and displaced outwards about 30 mm from the 
inner hub. A remnant of the oil feed stub pipe remained in the inner hub 
(Figure 41). 
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Figure 41: Inner and outer HP/IP bearing hubs at the oil feed pipe location 
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Although the filter body was still in place, the wire gauze filter element was missing 
(Figure 42). Upon inspection, it was apparent that the filter body was misaligned 
with respect to the interference fit bore in the inner hub. There was also an 
additional misalignment of the filter body with respect to the oil feed stub pipe as 
the remnant of that pipe was trapped between the HP/IP inner hub bearing 

(Figure 42). 


Figure 42: HP/IP inner hub oil feed pipe 
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The oil feed stub pipe was fractured in two planes, one around the weld that 
attaches the pipe to the inner hub, and the other further outboard, close to the 
shoulder where the pipe presses into the inner hub. Three distinct fracture regions 
were identified on the oil feed stub pipe: 


* one through the stub pipe-to-hub weld 
e a straw coloured planar region 


* ablue coloured angular region (Figure 43). 
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Figure 43: Oil feed stub pipe fracture 
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Detailed laboratory examination of the fracture regions found that the majority of 
the cracking, including the blue coloured region, was typical of an overstress 
fracture. The planar region covered an arc of about 90? of the oil feed stub pipe and 
was identified to be a pre-existing fatigue crack. The origin of this crack could not 
be precisely determined, however, the general shape of the crack indicated its origin 
on the outer surface of the pipe before growing inwards. 


A band of fretting was identified on the outer diameter of the stub pipe at a position 
coincident with the fatigue cracking (Figure 44). The fretting was along the area 
that formed an interference fit with the inner bearing hub, indicating relative 
movement between the stub pipe and the inner hub interference bore. The engine 
manufacturer reported observing similar fretting bands on some of the engine's 
other HP/IP stub pipes. 


Figure 44: Oil feed stub pipe fretting 
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Of particular note, the wall thickness of the fractured end of the oil feed stub pipe 
was not uniform. A number of measurements were taken around the stub pipe wall 
showing that the wall thickness varied from 1.42 mm down to 0.35 mm (Figure 45). 


Figure 45: Fractured oil feed stub pipe wall measurements 


Image modified from a Rolls-Royce plc supplied mode 


The fatigue crack coincided with the thinnest wall section and it was apparent that 
the counter bore^ used during manufacture to enlarge the inner diameter of the oil 
feed stub pipe to accept the oil filter was offset from the centre of the pipe 

(Figure 46). The manufacturer's counter boring operation was a two-stage process 
that initially involved drilling into the pipe end. The pipe end was then reamed” to 
a shallower depth than the drilled hole to form a close-tolerance fit for the filter 
body.™ The drilled and reamed sections of the counter bore were misaligned with 
respect to the centreline of the pipe and each other (Figure 47). 


€ A counter bore is a hole of defined depth that is used to locally enlarge another hole. 


83 The use of a rotating tool to enlarge and finish a hole or opening. 


64 Further detail on the manufacturing processes involved in the counter bore is provided in Part 4. 
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Figure 46: Offset oil feed stub pipe counter bore 
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Figure 47: Diagrammatic representation of the offsets produced during 
manufacturing operations 


UP 
Region of fatigue cracking 


and thinnest wall within 
stub pipe 


"d 


tub pipe outer diameter 
Drilled counter bore 
Reamed counter bore 


Stub pipe inner diameter 


Engine E 
Forward 


—63- 


2.4 


2.4.1 


2.4.2 


Intermediate pressure turbine behaviour 


Disc burst 


During the normal operation of a gas turbine engine, the load applied by the hot 
airstream as it passes through a turbine is transferred through the interconnecting 
shaft to the compressor. That load is used to drive the compressor to increase the 
pressure of the air passing through the compressor. A turbine will rotate at a 
constant speed when there is a balance between the load applied to the turbine by 
the hot airstream and the compressor load as it compresses the air. 


When a drive shaft (or drive arm) fails, the compressor load is removed from the 
turbine and the system is no longer balanced. This condition, known as a ‘loss of 
load’ on the turbine, results in a decrease in compressor speed and an increase in 
turbine speed, as the hot gas stream is still applying a load on the now unloaded 
turbine. 


When a disc is rotating, there is a radial expansion of the disc as a result of 
centrifugal forces generated by the rotation. The greater the rotational speed, the 
greater the forces that are generated. These centrifugal forces are resisted by the 
stiffness of the disc® and result in stresses within the disc. When the speed is such 
that those stresses exceed the yield strength of the disc, permanent deformation 
results and the disc ‘grows’ larger than its original size. When the stresses exceed 
the ultimate strength of the disc, the disc fails. That failure is typically in tension, 
and results in radial (that is, from the centre of the disc outward to the rim) 
overstress factures. Thus, a disc that failed in overspeed (disc burst) will exhibit 
permanent growth and radial overstress fractures. 


Because a disc burst generally occurs at a high rotational speed, the released debris 
has sufficient energy to pass through the engine case at great speed and can impact 
the aircraft structure. The non-containment of significant high-energy debris is 
defined as a ‘hazardous effect" ^? and the prevention of a disc burst is paramount for 
designers and manufacturers. It is therefore critical that the speed of a turbine disc 
under any condition does not exceed its burst speed. 


Design and certification - predicted IP turbine behaviour 


Although a turbine disc will accelerate when it loses its load, the turbine's speed 
will not increase indefinitely. The disc's maximum, or terminal, speed is limited by 
a number of factors, depending on where in the system the failure occurs and how 
the engine behaves following the failure. The designer needs to show that the 
terminal speed is below the burst speed of the disc. 


To determine the Trent 900 IP turbine disc's terminal speed, the engine 
manufacturer assessed how the engine would behave following an IP shaft failure at 
a range of locations. This analysis identified a number of factors that combine to 
limit the terminal speed. 


$9» The stiffness of the disc is a combination of the material properties and its geometric configuration 


(size and shape). 


$9 As defined by Joint Aviation Requirements — Engines (JAR-E), Section 2 Acceptable means of 


compliance and interpretations, ACJ E 510. 
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The engine manufacturer predicted that on failure of the IP shaft, the IP turbine disc 
would move rearward under gas loads and immediately engage with the hardware 
behind the disc (the LP turbine front panel). This contact would result in frictional 
loads that resisted the rotation of the IP disc. The rearward movement of the disc 
would also partly move the turbine blades out of the gas flow, reducing their 
efficiency and hence reducing the load being applied to the disc. Because the IP 
compressor would no longer be driven by the IP turbine, it would rapidly 
decelerate. The deceleration rate was predicted to be so great that the engine control 
system could not properly maintain the airflow through the compressor and a 
compressor stall would result. The resulting stall would affect the whole IP 
compressor, which would no longer be capable of holding back the already 
compressed air in the engine. In consequence, it was believed that the flow through 
the compressor would reverse, causing the engine to surge. During the surge, the air 
pressure within the engine and the air flow through the engine would rapidly 
reduce, further reducing the load applied to the turbine. 


During testing of the Trent 700, a geometrically and aerodynamically similar 
predecessor to the Trent 900, one of the development engines experienced a shaft 
over-torque at very high thrust levels. On another test engine, a shaft failure 
occurred at mid-thrust settings due to an internal oil fire. In both cases the engine 
surged, the HP compressor locked in stall and the engine ran down without a disc 
burst. 


During the design and certification?" of the Trent 900, the manufacturer's 
modelling, testing and experience from the above Trent 700 shaft over-torque and 
shaft failure events indicated that the effect of a surge would include the HP system. 
It was expected that the HP compressor would remain locked in stall and would run 
down. The terminal speed calculations for the IP turbine ‘loss of load’ case in the 
Trent 900 were based on this expected behaviour and the resulting pressure profile 
through the IP turbine. 


The Trent 900 also included a number of design changes over the Trent 700 that 
were expected to further improve the post-shaft failure behaviour of the engine. 


Certification testing 


The design standard required that an engine's fan, compressor and turbine would 
not burst when operated at the engine's most critical speed. An engine's most 
critical speed was considered to be the highest of: 


e 12096 of its maximum operating speed 
e 105% of the maximum speed resulting from a component or system failure 


e 10596 of the highest overspeed resulting from a loss of load on a turbine. 


The critical speed for the IP turbine in the Trent 900 was determined to be 10596 of 
the maximum overspeed from a loss of load on the turbine. 


The fan, compressors and turbines in the Trent 900 were all individually tested 
during certification. The test speeds were increased until the disc under test burst 
and showed that the IP turbine burst speed was in excess of the requirement. The 


97 Certification is the showing of compliance with an accepted design standard. In the case of the 


Trent 900, the design standard was JAR-E at Amendment 11. 
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2.4.4 


test IP disc burst into four main fragments, the largest of which was similar in size 
to the one found on Batam Island from the No.2 engine in VH-OQA (Figure 48). 


Figure 48: Trent 900 IP turbine disc after overspeed burst test 


MW. b "m 
d ZI IH 

Main disc fragment similar 
to that found in Batam Island 


Image source: Rolls Royce plc. 


Actual engine behaviour 


The recorded data from the uncontained failure of ESN 91045 identified an engine 
behaviour that differed from that predicted following a drive shaft failure. The data 
showed that when the drive arm failed at the R850 holes, the engine surged as 
expected. However, the air pressure in the engine did not decay to the level 
predicted from the manufacturer's modelling. A comparison between the expected 
‘certification’ P30 delivery pressure profile and that recorded during the 
uncontained failure in ESN 91045 is presented in Figure 49. 
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Figure 49: Post-surge engine behaviour - a comparison of the HP compressor 
pressure at certification and in ESN 91045 
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Source: Rolls Royce plc. 
Note: The blue region depicts the differences between the Trent 900 certification profile and 
that recorded during the uncontained failure of ESN 91045. 


The engine manufacturer determined that the higher than expected pressure 
recorded during the failure was due to a partial recovery of the HP compressor. That 
recovery was unexpected, and according to the engine manufacturer had not been 
previously observed. The additional pressure provided by the HP system following 
the surge (indicated by the blue shaded area in Figure 49), accelerated the now 
unloaded IP turbine beyond the predicted terminal and burst speeds. 


The partial recovery of the HP system was not completely understood by the engine 
manufacturer. It was not known if the observed behaviour was limited to the 
particular set of conditions encountered, or whether the behaviour could occur in 
other conditions. 


Observation: 


After the accident, the engine manufacturer developed a Trent 900 intermediate 
pressure turbine overspeed protection system (IPTOS). It was enabled through a 
modification to the FADEC software and was designed to limit the available energy and 
prevent the IP turbine from reaching burst speed following an internal engine oil fire. 


Part 7 of this report discusses this modification further. 
2.4.5 Certification failure analysis 


To show compliance with the design standard, the engine manufacturer was 
required to carry out a failure analysis and show that the probability of a hazardous 
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2.4.6 


effect would not occur at a rate in excess of that defined as ‘extremely remote". ^? 


The Trent 900 failure analysis was contained in the certification documentation in 
the form of a failure modes, effects and criticality analysis (FMECA). 


The Trent 900 FMECA consisted of a large number of reports. A summary FMECA 
was prepared and accepted by the certifying authority? as part of the certification of 
the engine. The FMECA was based on the assumption that all manufactured parts 
conformed to the design specifications. 


The failure modes identified in the FMECA that resulted in a shaft, or drive arm 
failure, were categorised as either having a major effect? or a hazardous effect. A 
number of those failure modes included a description of the surge and engine 
rundown behaviour preventing an overspeed failure. 


The consideration of a failure mode very similar to the oil feed stub pipe failure in 
ESN 91045 was recorded in the Trent 900 FMECA. Although the description of the 
propagation of the failure was not exactly the same as the actual failure, the end 
result (failure of the IP turbine drive and overspeed above the critical burst speed) 
was predicted and assessed. It was classified as a hazardous effect and was 
determined to have the acceptable probability of extremely remote. 


Post-event review 


Following the uncontained failure of ESN 91045, the engine manufacturer carried 
out a complete revision of the Trent 900 FMECA and applied the knowledge gained 
from the actual engine behaviour. The revised summary FMECA was also reviewed 
by the ATSB and it was found that the probability of all of the hazardous failure 
modes was still considered by the manufacturer to be extremely remote. Those 
failure probabilities were based on the probability of failure of the applicable 
component (for example, the oil feed stub pipe), and were not reliant on the post- 
shaft failure behaviour of the engine. 


Classification of the HP/IP structure 


In order to ensure, amongst other things, that the appropriate levels of process 
control were applied to manufactured parts, the engine manufacturer had a system 
that classified the parts in terms of the criticality of their failure. There were three 
classification levels in the manufacturer's procedures as follows: 


Critical part 


For all applications critical parts are those whose primary failure is shown 
by the failure analysis as likely to have hazardous effects, and which 
consequentially require special controls in order to achieve an acceptably 
low probability of occurrence. 


$9 JAR-E defined extremely remote as ‘not greater than 10° per engine flying hour’. That is, a failure 


effect that is unlikely to occur during the total operational life of all engines of that type, but 
nevertheless has to be regarded as being possible (one failure in not less than 100,000,000 flying 
hours). 


9 For the Trent 900, the certifying authority was the European Aviation Safety Agency (EASA). 


70 There was no specific definition of a major effect in JAR-E, but it was considered to be one that 


fell between a minor effect (one in which the only consequence was a partial or complete loss of 
thrust from one engine) and a hazardous effect. 
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2.5 


2.5.1 


Reliability sensitive part 


Reliability sensitive parts are those that are not critical but which meet one 
of the following criteria a) or b) below: 


a) Their failure is likely to have a significant effect on reliability or cost 
of operation and which require special controls to achieve an 
acceptably low rate of failure. Significant reliability effects include In 
flight shut down (or in the case of a single-engine aircraft insufficient 
power to sustain flight), Mission abort/diversion/turn back. (note: this 
list may not be exhaustive) 


b) They have a significant impact on the achievement of the specification 
performance and require special controls to ensure that their 
performance characteristics are consistently achieved. 


and 


A component is regarded as sensitive to source or method of manufacture 
where changes to source or method, even though correctly applied, may 
prevent the design intent being consistently achieved. 


Unclassified part 


Unclassified parts are those parts that are neither Critical nor Reliability 
sensitive. 


When parts were classified as critical or reliability sensitive, the design definition 
drawings were annotated to indicate that status. 


The FMECA that was carried out during certification of the Trent 900 identified the 
HP/IP bearing support assembly as being ‘Unclassified’. 


Observation: 


The engine manufacturer's post-event review of the FMECA identified that the HP/IP 
bearing support structure had been inappropriately classified and has been reclassified 
as a Reliability Sensitive part. 


Oil feed stub pipe stress analysis 


Stress analysis of the oil feed stub pipe 


The engine manufacturer carried out a stress analysis of the oil feed stub pipe to 
determine the distribution of the stresses during normal engine operation, in 
particular the location of the maximum or peak stress. The analysis included a 
detailed computer model of the oil feed stub pipe from ESN 91045 that included the 
actual wall thickness distribution. 


The stresses in the oil feed stub pipe resulted from the bending in the pipe from the 
relative movement between the engine case and the HP/IP bearing hub. Other 
analysis by the engine manufacturer identified that the magnitude of that movement 
was directly related to the HP compressor delivery pressure (P30). The greatest 
movement of the hub, and therefore stress on the oil feed stub pipe, during normal 
operation was at the engine's maximum thrust setting and measured about 6 mm. 
This movement was used in the computer stress model. 
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The stress analysis identified that the peak stress in the oil feed stub pipe occurred 
on the outer surface of the pipe, between the shoulder and the interference fit in the 
inner hub. That peak stress was highly localised, and was significantly greater than 
the other stresses in the pipe (Figure 50). The location of the peak stress 
corresponded with the location of the fatigue crack in the oil feed stub pipe in the 
occurrence engine. 


Figure 50: Oil feed stub pipe stress distribution 


UH 


Image source: Rolls Royce plc. 


The blue represents minimum stress, graduating through green and yellow up to red, which 
represents the maximum stress. 


Effect of wall thickness 


To assess the potential for similar fatigue cracking on the remainder of the 

Trent 900 engine fleet, the manufacturer analysed a number of other misaligned 
counter bore scenarios. The movement of the hub was directed along the length of 
the engine and moved rearward as thrust increased. This would generate bending 
stresses that would be greatest if the minimum wall thickness was towards the rear 
of the engine. Thus, in order to be conservative, the manufacturer's modelling was 
based on the minimum wall thickness being located in that position. The minimum 
wall thicknesses assessed were 0.50, 0.56, 0.70 and 0.91 mm. The resulting stress 
distributions reflected that shown in Figure 50. The peak stresses recorded below 
the shoulder in the manufacturer's testing are presented in Table 8 and Figure 51. 


Table 8: Effect of wall thickness on peak stress 
Minimum wall thickness (mm) 0.35" 0.50 0.56 0.70 0.91 


Peak Stress (MPa)? 1047 1011 940 857 712 


7^ The 0.35 mm wall thickness represented ESN 91045 and the stress presented here is for the actual 


orientation, not the worst case scenario. 


7 Megapascal. 
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Figure 51: Effect of wall thickness on peak stress 
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Source: Rolls Royce plc. 


A detailed vibration survey was also carried out by the manufacturer and it was 
determined that the number of engine cycles (low-cycle fatigue) was the primary 
contributor to the fatigue in the oil feed stub pipe, rather than the effects of a high 
frequency vibration (high-cycle fatigue). Based on these findings, the manufacturer 
carried out a fatigue life analysis of the oil feed stub pipe. This analysis 
conservatively assumed that the engine developed full thrust for each of its 
operating cycles, effectively representing a worst case scenario in an engine's life. 
The resulting worst case fatigue lives are presented in Table 9 and Figure 52, along 
with ESN 91045's actual life of 677 cycles at the time of the uncontained failure. 
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Table 9: Calculated fatigue lives 


Minimum wall thickness (mm) 0.35% 0.50 0.56 0.70 0.91 


Fatigue life (flight cycles) 677 5,445 13,892 | 60,000^ | 159,378 


73 The majority of commercial jet aircraft takeoffs are reduced thrust takeoffs, where less than the 


engine's maximum thrust is used. 


^ This is the number of cycles accumulated by ESN 91045 at the time of failure. The fatigue lives 


presented here have been calibrated to this number of cycles. 
75 This value was not provided by the manufacturer and has been estimated by the ATSB from 


Figure 52. 
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Figure 52: Calculated fatigue lives 
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Source: Rolls Royce plc. 


Recorded engine data 


The following information was assembled from a number of data sources including 
the FDR, EEC, EMU and other aircraft-based recorders. The recorded engine data 
sequence of events is presented in Table 10 and Figure 53 to Figure 56. Further 
detail on the recorded data is contained in Appendix C. 


Table 10: Sequence of events relevant to the No. 2 engine from the recorded 


data 
Actual 
time ; 
(UTC) Time sequence Comment 

hh:mm:ss 

01:45:30 -15 min 37 sec All four engines started and stabilised at 
idle and with an N1 of 17%. 

01:55:00 -6 min 07 sec Aircraft commences takeoff. 

01:56:47 -4 min 20 sec Aircraft airborne, No. 2 engine N1 at 79%. 

01:59:07 -2 min 0 sec Crew select CLIMB thrust setting. No. 2 
engine N1 increases to about 86% within 13 
seconds. 

02:00:07 -60 sec No. 2 engine turbine cooling air rear 
(TCAR) begins to rise in relation to the 
other engines (TCAR not displayed to crew) 

02:00:15 -52 sec No. 2 engine oil temperature and pressure 
values begin to diverge from the recorded 
values for the other engines. 

02:00:58 -9 sec No. 2 engine N3 starts to fluctuate and the 
N1 in that engine shows 87%. 
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Actual 


time . 
(UTC) Time sequence Comment 

hh:mm:ss 

02:01:01 -6 sec No. 2 engine HP turbine vibrations peak in 
amplitude? and the N1 and N2 drop by 
about 196. N3 in the No. 2 engine increases 
by about 396 and there is a large spike in 
turbine cooling air forward (TCAF) and 
TCAR. 

02:01:03 -4 sec No. 2 engine HP turbine vibrations rapidly 
decrease. 

02:01:06 -1 sec No. 2 engine N1 at 87%. 

02:01:07 0 sec Rapid and large reduction in the No. 2 
engine N1 and N2 and a sudden and rapid 
drop in P30 in engine No. 2. Turbine disc 
separates from drive arm. 

02:01:08 *1 sec No. 2 engine oil pressure drops, TCAF 
peaks in temperature, No. 2 turbine 
overheat ECAM warning activates and N3 
stabilises at 9696. 

02:01:09 *2 sec Master Warning and Caution activate in the 
cockpit. 

02:01:11 *4 sec No. 2 engine TCAR loss of signal, second 
drop in P30 (less than at t=0), N3. Disc 
burst. 

02:01:17 +10 sec No. 2 engine oil pressure decreases. 

02:01:18 +11 sec No. 2 engine oil quantity begins to 
decrease. 

02:01:38 +31 sec No. 2 engine thrust lever reduced to idle. 

02:01:53 +46 sec No. 2 engine thrust lever progressively 
advanced to half range. 

02:02:08 +1 min 01 sec No. 2 engine P30 increases. 

02:02:20 +1 min 13 sec No. 2 engine N3 and P30 peak then rapidly 
drops. 

02:02:25 +1 min 18 sec No. 2 engine fire ECAM warning. 

02:02:39 +1 min 32 sec No. 2 engine thrust lever reduced to idle. 

02:03:21 +2 min 14 sec No. 2 engine high pressure shut-off valve 


closed and engine shutdown. 
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The vibrations were below the triggering threshold for ECAM notification. 
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FACTUAL INFORMATION: ENGINE FAILURE 


SEQUENCE 


3.1 


This part of the report details the sequence that led to the uncontained failure of the 
aircraft's No. 2 engine. The failure sequence presented is based on the physical and 
recorded evidence. 


The failure sequence occurred in a continuous manner, but contained discrete 
events that broke the sequence down into five key phases. The following discussion 
examines the failure sequence in terms of those phases. 


Phase 1: Oil feed stub pipe failure and oil fire 


As described in Part 2 of this report, a fatigue crack initiated and grew in the HP/IP 
oil feed stub pipe below the shoulder where it fits into the HP/IP bearing chamber 
inner hub. It was not determined when the crack started; however, during the 
occurrence flight the crack grew to a size that allowed oil to leak out of the pipe and 
into the buffer space. The leak was at a low rate but at a pressure that likely resulted 
in an atomised oil spray (Figure 57). 


Figure 57: Oil leak into the buffer space 
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The temperature in the buffer space was reported by the manufacturer to be in the 
range of 365 to 375 ?C. The synthetic oils used in the engine had auto-ignition 
temperatures as low as 280 ?C. A comparison of these temperatures indicates the 
potential for auto-ignition and, given that there were no other ignition sources 
identified, it was likely the leaking oil auto-ignited when it atomised on entry into 
the buffer space. 


7 The buffer space was designed to be an oil free environment. 
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3.2 


The direction of the airflow was from the buffer space, along the IP drive shaft and 
into the low pressure (LP) turbine cavity (represented as red arrows in Figure 58), 
where the TCAR sensor was located. That airflow directed a portion of the fire 
forward from the leaking oil pipe and onto the front of the HP/IP buffer space. 


Given that the air temperature, as measured by the TCAR sensor, started to increase 
at about 02:00:07, 60 seconds before the engine failure, it is likely that the fire 
started shortly before that time. 


Figure 58: Oil leakage and fire 
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Image modified from a Rolls-Royce supplied model 


Phase 2: HP turbine triple seal failure 


About 10 seconds before the engine failure, the fire breached the front face of the 
HP/IP bearing chamber buffer space and impinged directly on the HP/IP triple 
seals. The intense heating distorted the seals, causing them to come into contact 
with each other. 


The distortion and contact significantly increased the vibration levels in the HP 
section. That vibration increased, until about 4 seconds later, it rapidly decreased 
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when the triple seal separated from the structure and the static and rotating portions 
became entwined, scoring the rear face of the HP turbine disc (Figure 59). 


The design of the engine was such that the pressure within the buffer space and 
behind the IP turbine was lower than the hot (annulus gas) airstream exiting the 
HP turbine. This meant that when the triple seals were breached, those hot gases 
were drawn into the space behind the HP turbine disc, where the TCAF sensor was 
located (Figure 59). 


Figure 59: HP turbine triple seal failure 
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Image modified from a Rolls-Royce supplied model 


When the hot gases were drawn out of the annulus gas stream, the performance of 
the engine changed, with the HP assembly speed (N3) increasing and the IP and LP 
assembly speeds (N2 and N1) decreasing. This ‘rematching’”® of the assemblies 
resulted in the engine control system mode changing to limit the HP system speed, 
and a slight decrease in fuel flow was observed. 


75 The turbines operate independently and find a steady state for the current conditions. When the 
conditions change, the turbines ‘rematch’ to a new steady state. 
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Phase 3: Drive arm heating and disc separation from 
the drive shaft 


The change in the pressure distribution inside the engine resulted in the primary 
airflow within the buffer space becoming disrupted. Openings in the hub at the rear 
of the buffer space directed intense radiant heat and flame onto the triple seal at the 
rear of HP/IP bearing chamber. The triple seal failed and the flame was then 
directed onto the IP turbine drive arm at a point corresponding to the location of the 
R850 holes. 


The IP turbine drive arm rapidly heated in the area of the R850 holes, reducing the 
strength of the material. The flame also eroded areas of the drive arm around the 
holes, further reducing its strength and, at 02:01:07 the drive arm failed in 
overstress, separating the IP turbine from the IP drive shaft. As a result of the air 
pressure loads across the turbine, the unrestrained turbine moved rearwards and 
contacted the LP turbine front panel (Figure 60). 


Figure 60: Drive arm heating and disc separation from the drive shaft 
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Image modified from a Rolls-Royce supplied model 


When the IP turbine disc separated from the drive shaft, the IP compressor speed 
rapidly decreased and the engine surged, leading to a rapid reduction in the HP 
compressor delivery pressure (P30). The engine control system detected the surge 
and significantly reduced the fuel flow to the engine. 
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Phase 4: Disc acceleration and burst 


Immediately after the IP disc separated from the drive shaft there was a rapid 
reduction in the IP and LP compressor speeds, but only a small reduction in the HP 
assembly speed, which stabilised at about 9696. Together with the recorded 
parameters for fuel flow and the higher than expected HP compressor delivery 
pressure following the surge, this indicated that the HP system had at least partially 
recovered from the surge. 


Although the pressure in the engine rapidly decreased, there was still sufficient air 
flow to accelerate the unrestrained IP turbine disc. With the partial recovery of the 
HP system, the pressure of the air passing through the IP turbine was greater than 
expected. The friction between the disc and the LP front panel, and the loss in 
efficiency from the IP turbine blades as the disc moved rearwards out of the normal 
airflow, was insufficient to prevent the disc from accelerating past its maximum 
design rotational speed. As the rotational speed increased, the stresses within the IP 
disc increased, it expanded radially and at 02:01:11, 4 seconds after its separation 
from the drive arm, the disc material failed in overstress and the disc burst 

(Figure 61). 


Figure 61: Unrestrained IP turbine disc acceleration and burst 


Image modified from a Rolls-Royce supplied model 


The disc fractured into three primary segments that were projected outwards with a 
force sufficient to breach the engine casing and damage the aircraft. The damage to 
the LP turbine front panel and LP turbine blades indicated that these segments were 
initially projected outwards in different directions (Figure 62). 
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When the turbine case was breached the pressure within the IP disc space dropped 
to atmospheric pressure. That drop in pressure likely resulted in the heat-weakened 
HP/IP bearing chamber outer hub bursting (Figure 40 and Figure 61). 


Associated with the uncontained failure was a further drop in P30 and the speed of 
the HP system decreased to about 4096. The TCAR reading rapidly dropped when 
the wire loom was damaged and the engine oil pressure and quantity began to 
decrease when the supply lines were severed. 


Figure 62: Initial disc segment trajectories, looking rearward 


Note: Segment A was recovered from Batam Island. Segments B and C were not recovered. 
The size of segments B and C were estimated from turbine blade fragments that were 
recovered from the aircraft, Batam Island and from the damage to the LP front panel. 


Phase 5: Post-uncontained failure 


At 02:01:38 (29 seconds after the disc separated from the drive shaft), in response 
to the ECAM turbine overheat indication, the flight crew reduced the thrust 
commanded on the No. 2 engine to idle. From 02:01:53, the flight crew 
incrementally advanced the thrust lever. The recorded data showed that the engine 
responded to that command with an increase in P30 and HP speed, indicating that 
the engine continued to operate following the disc burst. 


The HP speed and P30 continued to increase, until at 02:02:20 the engine surged 
again. At 02:03:21, the flight crew shut down the No. 2 engine. 
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FACTUAL INFORMATION: MANUFACTURING 


4.1 


4.2 


This Part details the design and manufacture of the Trent 900 High 
Pressure/Intermediate Pressure (HP/IP) structure and its role in the development of 
the uncontained engine failure. The information is presented in a semi- 
chronological order starting at the design definition, working through the 
development of the manufacturing processes and ending with the production of 
engines with non-conforming oil feed stub pipes. The production of the component 
that was directly involved in the uncontained engine failure is examined, together 
with the opportunities to detect and manage the affected engines. Finally, an 
indication of the extent of non-conforming oil feed stub pipes within the Trent 900 
engine fleet is discussed. 


In this context, the applicable procedures used by the manufacturer, for example 
‘non-conformance management’, are presented to assist with the reader's 
understanding. Because the entire sequence leading to the uncontained engine 
failure occurred over a number of years, a timeline of key events discussed in this 
report is contained in Appendix E. 


Company structure 


Rolls-Royce plc, a large design and manufacturing organisation, produced 
powerplants and associated services to the civil and defence aerospace, marine and 
energy industries. The manufacturer was divided into a number of business 
divisions reflecting the industries they serviced. 


The Trent 900 engine program was part of the manufacturer's Civil Aerospace 
Division and, while the program team was primarily based at Derby in the United 
Kingdom (UK), the manufacture of engine components was conducted in operating 
business units distributed across the globe. During the development of the Trent 900 
and at the time of the manufacture of the event engine (engine serial number (ESN) 
91045), the HP/IP support structure was manufactured in its plant at Hucknall in 

the UK. 


In March 2007, the engine manufacturer reorganised, replacing operating business 
units with supply chain business units. These units were responsible for the design, 
manufacture and purchase of gas turbine components and sub-systems, differing 
from the previous operating business units that only manufactured parts. As a 
consequence of the reorganisation, the part of the Hucknall plant that manufactured 
the HP/IP support structure (Hucknall Casings and Structures) was transferred to 
the Transmissions, Structures and Drives supply chain business unit. The design 
function for this business unit remained at the Derby facility at that time. 


Product development 


The Trent 900 was a variant of the RB211 Trent family and although similar in 
many ways to other engines within family, had numerous differences in design 
detail. From the early stages of the design, a team was drawn together comprised of 
engineers from a number of disciplines, including structures, performance and 
systems, and was located at Derby. 
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4.3 


An iterative design process was carried out primarily by a team of design engineers, 
but included input from all functions that had a role in the design and manufacture 
of the parts that comprised the engine. The process culminated in a set of drawings 
that defined the engine (design definition) being formally accepted by 
manufacturing.” This acceptance confirmed that any manufacturing issues 
associated with the design had been reviewed and, where necessary, corrected. The 
Trent 900 design definition was frozen when the engine was certified in 2004. 


Concurrently during the manufacturing acceptance of the design definition, a 
number of manufacturing engineers commenced work on the manufacturing process 
specification and instructions. This included the production of a set of 
manufacturing stage drawings and manufacturing instructions that were completed 
and approved after the design definition had been approved. The process 
specification and instructions were developed with the intention of producing the 
components specified in the design definition. The manufacturing stage drawings 
broke the components down into a number of manufacturing process steps detailing 
their manufacture. 


Before the production of items for testing and service, the manufacturing process 
specification and instructions were verified by a first article inspection. The intent 
of this inspection was to check the first item produced to the process specification 
for conformance with the design definition. In the case of the HP/IP bearing support 
structure, the manufacturing acceptance, production of the manufacturing process 
specification and instructions, and the first article inspection were carried out at 
Hucknall. 


Design definition 


The design definition for the prototype HP/IP bearing support structure was 
completed in September 2004. The design definition drawings contained the detail 
of the entire support structure, including the bearing hub, strut ring and service 
pipes. Due to the complexity of the structure, there were around two to three 
thousand individual features?" specified in the design definition. A small number of 
those features related to the fitting of the oil feed stub pipe. The stub pipe, which 
was common to all the service pipes that penetrated the outer hub, was detailed in a 
separate drawing. 


The inside diameter of the oil feed stub pipe was enlarged to accommodate an 
integral filter, as described in section 2.1.1 of this report. This enlargement, referred 
to as the oil feed stub pipe counter bore, was detailed in the design definition 
drawings. A number of features relating to the oil feed stub pipe are referred to in 
this report. This includes the outer hub clearance hole, the interference bore, the 
inner hub counter bore and the oil feed stub pipe counter bore, all of which are 
presented in Figure 63. The oil feed stub pipe counter bore consisted of two primary 
features; a standard tolerance and a high-tolerance (fine limit) counter bore. 


7 Prior to final approval and release of the design definition a check was required to verify that the 


design was optimised for robustness against all technical requirements, including the ability to 
manufacture and inspect. 


9) Specific items, such as hole diameters and positions. 
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Figure 63: Oil feed stub pipe feature terminology 
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The oil feed stub pipe features were distributed across two sheets of the design 
definition drawings. The first of those sheets contained the detail of the outer hub 
clearance hole, the interference bore and the inner hub counter bore. The second 
provided detail of the oil feed stub pipe counter bore. 


To define the relative locations of related features, a set of datums was used on the 
design definition drawings. The primary datum for features relating to the oil feed 
stub pipe was the outer hub clearance hole, which was identified on the design 
definition drawings as AA (Figure 64). 


Figure 64: Representation of the design definition drawing that identified 
datum AA 
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The dimensional information for the oil feed stub pipe interference bore included a 
geometric positional tolerance that required it to be positioned with respect to 
datum AA to within a diameter (@) 0.05 mm circle. This meant that the centre of 
the interference bore was required to lie within a 0.05 mm diameter circle centred 
on the centre of datum AA (Figure 65). 
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Figure 65: Physical interpretation of ‘geometric positional tolerance’ using the 
interference bore as an example 
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The size of the inner hub counter bore was defined and was shown on a common 
axis with the interference bore and datum AA, but there was no positional tolerance 
applied to the inner hub counter bore. 


The design definition drawing sheet that detailed the oil feed stub pipe counter bore 
included the following information (Figure 66): 


e the diameter of the fine limit counter bore 


e a positional tolerance of (20.10 mm for the fine limit counter bore with 
respect to datum AA 


e the overall depth of the counter bore (including the standard tolerance) — 
shown as a distance from the axis of the hub 


e the minimum depth of 16 mm for the fine limit counter bore 


* the maximum step of 0.25 mm between the surface of the fine limit counter 
bore and the standard tolerance counter bore (‘max step’ feature). 


The diameter of the standard tolerance counter bore was not specified on the 
drawing. 


Observations: 


The wall thickness of the oil feed stub pipe at the counter bore was not an explicit 
feature in the design definition. The design intent was that the interference bore and oil 
feed stub pipe counter bore would be concentric with the outer hub clearance hole 
(datum AA), thereby providing the pipe wall thickness. Accepting that in any normal 
manufacturing environment such features could not be expected to be made in perfect 
alignment, the designers applied both dimensional and positional tolerances to the 
interference bore and oil feed stub pipe counter bore to ensure that an acceptable wall 
thickness would be attained. 


The ATSB determined that the nominal wall thickness of the oil feed stub pipe within the 
counter bore was 0.91 mm. Using the ‘worst case’ tolerance combination of the 
interference bore at its smallest size, the oil feed pipe counter bore at its maximum size 
and the positional tolerances at their extreme values in opposite directions, the minimum 
permissible wall thickness was calculated to be 0.82 mm. 
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Figure 66: Representation of the design definition drawing that defined the oil 
feed stub pipe counter bore 
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Note: the above view is from the side of that shown in Figure 64, consistent with how it was 
depicted on the design definition drawings. 


Manufacturing acceptance of the design definition drawings 


The engine manufacturer reported that, when the design definition drawings for the 
HP/IP support structure were accepted by manufacturing in October 2004, the 
reviewing ME identified a number of issues that required changes to the design 
definition. However, none of those changes related to the oil feed stub pipe counter 
bore features. 


Manufacturing specification and instructions 


Following the manufacturing acceptance of the design definition and during the 
preparation of the manufacturing specification and instructions, the MEs identified 
that the oil feed stub pipe needed to be fitted and welded in place before the oil feed 
stub pipe counter bore could be machined. Because the pipe was in place, the inner 
surface of the clearance hole in the outer hub was not accessible to the machining or 
inspection probes. As a result, datum AA could not be used as a reference for 
further machining operations (Figure 67). 


Observation: 


There was no indication that the design or manufacturing personnel identified, either 
before or during the manufacturing acceptance of the design definition drawings, that 
datum AA would be inaccessible following fitment of the oil feed stub pipe into the hub 
assembly. 
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Figure 67: Inaccessibility of Datum AA with the oil feed stub pipe installed 


Image source: UK AAIB 


During preparation of the manufacturing specification and instructions, a 
manufacturing datum was introduced that was intended to replace datum AA as the 
reference for the oil feed stub pipe features. The inner hub counter bore was 
selected as the manufacturing datum and was designated as datum M. 


The ATSB found no evidence of consultation between the design and 
manufacturing engineers regarding the inaccessibility of datum AA and their 
development and use of manufacturing datum M. The manufacturer reported that at 
the time the Trent 900 manufacturing stage drawings were produced, there was no 
requirement in their procedures for such consultation if the use of the 
manufacturing datum maintained the design intent. 


Manufacturing stage drawings 


Similar to the design definition drawings, the oil feed stub pipe features were 
presented on the manufacturing stage drawings over two sheets. The first of those 
sheets detailed the outer hub clearance hole, the interference bore and the inner hub 
counter bore (Figure 68). The second of those sheets provided the detail on the oil 
feed stub pipe counter bore (Figure 69). 


The positional tolerance for the interference bore differed from the design definition 
only in the magnitude of the tolerance, (20.5 mm rather than (20.05 mm. Of note, 
the tolerance was still identified as being with respect to datum AA. 


The inner hub counter bore was defined, but there was no common axis with other 
oil feed stub pipe features presented on the drawing and, like the design definition 
drawing, there was no positional tolerance applied to the feature. On the same 
drawing sheet, the inner hub counter bore was defined as datum M. No other 
references were made to datum M on that sheet. 


— 90 — 


Observation: 


Because no positional tolerance was specified for the inner hub counter bore, datum M 
was not geometrically constrained. The result was that, according to the manufacturing 
stage drawings, there was no positive geometric connection between datum M and the 
interference bore. 


Figure 68: Representation of the manufacturing stage drawing that identified 
datum M 
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The oil feed stub pipe counter bore detail on the manufacturing stage drawing 
differed from the design definition in that the positional tolerance for the feature 
was referenced to datum M, rather than datum AA. The positional tolerance on the 
drawing was specified as (20.2 mm, rather than the 0.1 mm specified on the design 
definition. 


Figure 69: Representation of the manufacturing stage drawing that defined 
the oil feed stub pipe counter bore 
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Observations: 


There were significant differences between the sizes of the positional tolerances 
specified on the design definition and manufacturing stage drawings. The ATSB did not 
identify an explanation to account for those differences. 


Because datum M had no geometric constraint with respect to the interference bore, and 
hence the location of the oil feed stub pipe, the minimum wall thickness for the oil feed 
stub pipe could not be determined using the specifications presented on the 
manufacturing stage drawings. 


Similar to the design definition drawing, the oil feed stub pipe counter bore feature 
on the manufacturing stage drawings only had the diameter of the fine limit counter 
bore specified. The counter bore max step feature was also specified in a different 
manner to that in the design definition drawing. Rather than an annotation to the 
‘min 16.00 extent’ dimension on the feature on the design definition drawing 
(Figure 66), the step was depicted in a separate enlarged view on the same drawing 
sheet (Figure 70). 


Figure 70: Depiction of the max step feature on the manufacturing stage 
drawing 
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Manufacturing process 


The determination of the manufacturing process started during the design stage, was 
concurrent with the production of the manufacturing stage drawings and was 
completed following the final approval of the design definition. 


The manufacturing process for the HP/IP hub assembly was a combination of 
assembling parts, machining (milling and grinding), welding and inspection/test. 
The process was specified in a set of manufacturing instructions that broke the 
manufacture down into a series of operations (OPs) that were identified by their 
sequence number. 


The manufacture of the HP/IP hub assembly was made up of 23 operations that 
ranged in sequence number from OP 10 to OP 230. Aspects of those operations 
involved in the misalignment of the oil feed stub pipe counter bore are described in 
the following. 


OP 10 Join inner and outer hub castings 


The inner and outer hubs were supplied as preformed items. In this first operation, 
the inner and outer hubs were bolted together using 3 of the 15 attachment lugs in 
the rear of the hubs (Figure 71). 
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Figure 71: Joining of the inner and outer hub castings 


Image source: UK AAIB 
View looking forward from the rear of the assembly. 


OP 15 Machine air and oil pipe location bosses around the outer hub 


The assembly was placed into a machining fixture that secured the assembly in 
place and provided a known reference to the computer numerical control milling 
machine. Although the majority of the features were yet to be machined into the 
hub, there were a number of features preformed into the hub that required the 
correct alignment of the hub within the fixture to ensure the features were machined 
in the correct location. To achieve this, the inner hub was supplied with a 
pre-drilled and reamed high-tolerance hole where the oil feed stub pipe was to be 
located. A pin was fitted into that hole and the assembly was oriented in the 
machining fixture to align the pin with the fixture. This pin was referred to as the 
*timing pin' as it allowed the milling machine to orient itself with the direction of 
the assembly, very much like finding the ‘twelve o'clock position on a clock. 


The manufacturer reported that the intention was for all of the oil feed stub pipe 
features, including the outer hub clearance hole, interference bore and inner hub 
counter bore, to be referenced from the axis of the timing pin, thus replacing datum 
AA in the manufacturing process. 


Observations: 


Although the intention was that datum M would replace datum AA, the inner hub counter 
bore had not been formed at this point and the timing pin effectively became the datum 
until the inner hub counter bore was formed. The datum formed by the timing pin was 
not listed on either the design definition or manufacturing stage drawings. 


By using the timing pin as the reference for locating the interference bore, rather than 
referencing datum AA, the manufacturing process did not match the manufacturing 
stage drawings. 


The assembly was then secured in the machining fixture using a set of clamps that 
secured the outer hub flange (Figure 72, left). The milling machine probed the 
component and the timing pin to orient itself with the assembly. 
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Before the milling operation started, the assembly was clamped using a top plate 
that clamped down on the inner hub (Figure 72, right) and the outer clamps 
removed. The outer surface of the hub was then machined by the mill to form the 
outside shape around the air and oil pipe positions (bosses). The milling operation 
included drilling and reaming of the clearance holes in the outer hub and the 
interference bores in the inner hub. Those operations were carried out from the 
outside of the hub. 


Figure 72: Machining fixture clamping arrangement 


Timing pin 


© Outer hub 
flange 


ae 


The machining of the clearance and interference holes was a seven step process, but 
was essentially performed in four main stages as illustrated in Figure 73. Those 
stages consisted of: 


1 drilling and reaming the clearance hole in the outer hub 

2 forming a shallow counter bore in the outer hub for the sealing washer 
3 drilling and reaming the interference bore in the inner hub 
4 


forming a shallow counter bore in the inner hub to seat the shoulder of the oil 
feed stub pipe. 


The machining fixture was then unloaded from the milling machine, leaving the 
HP/IP hub assembly in situ. 
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Figure 73: OP 15 formation of the oil feed stub pipe holes 
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OP 20 Machine oil pipe bosses inside the inner hub casting 


The machining fixture was then loaded into a different computer numerical control 
milling machine. The outer hub was clamped using the external clamps and the top 
plate clamp removed. A number of features, including the timing pin, were probed 
by the mill and the timing pin removed to provide access to the inside of the hub. 


During operation OP 20, all of the machining was carried out from inside the hub. 
A number of features were milled into the inner hub over a number of hours before 
the inner hub counter bore was milled. The inner hub counter bore was formed by 
the mill’s cutting tool transcribing a circle about the previously probed timing pin 
axis, and then the bore was reamed to the final size. This was intended to increase 
the size of the existing hole in the inner hub. It was expected that the location of the 
timing pin axis would remain aligned with the axis of the hole into which the pin 
had been inserted throughout the OP 20 process. 
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Observation: 


During the investigation, it was found that after the change in the clamping arrangement 
and during the machining processes prior to forming the inner hub counter bore, there 
was movement of the inner hub. Because the machining of the inner hub counter bore 
was carried out several hours after the timing pin had been probed, any movement 
within the hub resulted in the inner hub being in a different position to what it was when 
the timing pin was probed. The result of any movement was that the inner hub counter 
bore was not machined on the axis of the hole in which the timing pin had been inserted 
and hence it was not concentric (the axis was offset) with the interference bore. The 
interference bore had been machined with the timing pin in place during OP 15 

(Figure 74). 


Figure 74: Example of inner hub counter bore/interference bore offset 
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At the completion of the machining, the HP/IP hub assembly was unloaded from 
the fixture. 


OP 70 Dimensional inspection 


After a visual inspection for burrs, damage and other obvious defects, the HP/IP 
hub assembly was loaded into a coordinate measuring machine (CMM ).?' This 
machine contained a computer-controlled program that automatically measured the 
hub's features and produced a report for the inspector to review. 


As described in more detail in section 4.4.3 of this report, this inspection included 
measurement of the size and position of the inner hub counter bore, the interference 
bore and the outer hub counter bore. The position of the interference bore was 
measured and reported relative to the inner hub counter bore (datum M), rather than 
the outer hub clearance hole (datum AA) as listed on both the design definition and 
manufacturing stage drawings. 


?! A machine used to measure the three-dimensional geometric properties of an object that may be 


either manually or computer controlled. 
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OP 110 and OP 120 Fit the stub pipes and weld 


The stub pipes were inserted into the oil feed, vent and scavenge positions. The 
pipes were an interference fit with the inner hub and had to be tapped into position. 
After being checked to ensure their correct installation, the inner end of each pipe 
was welded into the hub. 


Observation: 


Ready access to datum AA was lost when the oil feed stub pipe was fitted during these 
actions. 


A number of other operations were carried out, which included heat treatment and 
non-destructive testing. 


OP 190 Milling of the oil feed stub pipe counter bores 


The HP/IP hub assembly was fitted into the machining fixture and the outer hub 
flange secured using the external clamps. A timing pin” was inserted into the inner 
hub counter bore to orient the hub in the fixture. 


The hub and fixture were then loaded into a computer numerical control milling 
machine, which probed the hub and timing pin to orient itself with the assembly. 
Probing of the timing pin defined the position of datum M and aligned all 
subsequent machining to that axis. The timing pin was then removed to provide 
access to the oil feed stub pipe from the inside of the hub assembly. 


During the milling operation, the oil feed stub pipe counter bore was drilled and 
reamed (see 1 and 2 respectively in Figure 75). 


Figure 75: OP 190 oil feed stub pipe counter bore 
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Note: The wall thickness of the oil feed stub pipe is not shown to scale and has been 
exaggerated for clarity. 


Observations: 


Since the oil feed stub pipe has an interference fit in the inner hub, the outside diameter 
of the pipe is in the same position as the interference bore. Because the oil feed stub 
pipe counter bore was positioned relative to datum M, any misalignment of datum M 
from the interference bore created during OP 20 could result in a corresponding 


82 This was a different timing pin to that used in OP15 because the diameter of the hole had been 


enlarged. 
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4.4.3 


misalignment of the oil feed stub pipe counter bore with respect to the outside diameter 
of the stub pipe. This would in turn result in a reduced wall thickness within the stub pipe 
(Figure 76). 


Figure 76: Reduced oil feed stub pipe wall thickness due to misalignment 
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The engine manufacturer was unaware of the potential for a reduced oil feed stub pipe 
wall thickness until identified in March 2009. Detail regarding the identification of this 
and how it was managed is provided in sections 4.12 and 4.13 of this report. 


OP 230Final inspection 


Finally, the HP/IP hub assembly was cleaned and visually examined before being 
loaded into a CMM for a dimensional inspection. That inspection included 
measurement of the oil feed stub pipe counter bore size and position relative to 
datum M. This is discussed in more detail in section 4.4.3 of this report. 


The visual examination was only aimed at checking for swarf,? surface finish and 
other obvious defects. There was no requirement for the inspector to inspect the oil 
feed stub pipe counter bore for concentricity of the machining, as the process relied 
on the CMM measurements to check for conformity. 


Observation: 


When the end of a stub pipe was welded into place, the interface between the 
interference bore and the stub pipe was obscured by the weld material. Because the oil 
feed stub pipe counter bore was machined after the stub pipe had been welded into 
position, the wall thickness of the oil feed stub pipe could not be seen by the inspector. 
As such, even a significant reduction in the wall thickness would likely not be visually 
detected. 


CMM dimensional inspections 


The manufacturer's CMM was a computer-controlled precision measuring device 
consisting of a fixed table over which a moveable bridge was situated. A moveable 
arm, upon which a calibrated probe could be fitted, was supported from the bridge 


55 Chips of metal removed during the machining process. 
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(Figure 77). The probe could be either manually driven by an operator, or 
automatically driven by a pre-programmed set of movements through a computer. 


The component to be measured was placed on the CMM table and specific features 
were measured by touching them with the calibrated probe. When the probe 
touched the surface, the location of the point in three-dimensional space was 
determined. Shapes could be measured by the collection of a series of points and 
their geometric properties, such as the diameter of a circle, provided to the operator. 


Figure 77: Coordinate measuring machine 


The CMM was used for two inspections during the manufacture of the HP/IP hub 
assembly, at OP 70 and OP 230. Due to the number of measurements to be taken, 
and to ensure consistency, the manufacturer used computer programs to control the 
machine for those inspections. Those programs also produced a report for review by 
an inspector. 


The CMM report detailed the measurements taken of each feature during the 
inspection. This included their measured (actual) value, the nominal value, the 
difference between the actual and nominal values, the high and low tolerances 
related to the nominal value (if applicable) and an error statement (if applicable). 
An error statement was produced if the actual value was outside of the allowable 
tolerance from the nominal value. If there was no error, then the field was left 
blank. An example of a feature measurement is shown in Figure 78 with the error 
column highlighted. 


The inspectors could print the report in either colour or black and white. When 
printed in colour, any error statements were printed in red. The printed report was 
reviewed by an inspector to identify any errors that could indicate a non- 
conforming feature. 
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Figure 78: Example feature from a CMM report (error statement highlighted in 
blue) 


Feature - Circle21 DIM23 

Actual Nominal Difference Hi-tol Lo-tol MMC 
AXIS Y .066 -000 -066 
AXIS 3 -. 061 -000 -.061 


DIAMETER 24.541 24.565 ~.024 -065 -.065 --*+--- 
T.P.RADIUS .089 .025 .020 
T.P.AHGLE 317.282 

T.P.DIAM. .179 .050 .041 : 


Note: In the above CMM report, T.P. DIAM is the 'true position' of the circle with respect to 
the current datum. In the case of a circle, its true position is twice the direct distance between 
its centre and the datum. 


At the time that the Trent 900 went into production, and engine ESN 91045 was 
manufactured in June 2006, the CMM programs were written, checked and 
implemented by the inspectors within Hucknall Casings and Structures. There was 
no formal process for the creation and validation of CMM programs, but it was 
reported that an informal process was used that was based on the process for the 
creation and validation of the computer numerical control programs. That informal 
process was carried out at the inspector level and did not involve the manufacturing 
engineers. 


In August 2007, a formal process for the creation and validation of CMM programs 
was introduced at Hucknall Casings and Structures. The process involved inspectors 
and manufacturing engineers, with the engineers responsible for, amongst other 
things, which features were to be measured. 


The ATSB obtained printed extracts from the CMM programs and reports from the 
inspection of a number of Trent 900 HP/IP hub assemblies. The following 
discussion is based on a review of those programs and reports. A number of features 
were measured during the respective inspections, but only those associated with 
measurement of the oil feed stub pipe features are discussed. 


OP 70 Inspection 


During the OP 70 inspection, the CMM measured the inner hub counter bore and 
set it as the datum (datum M). AII the following measurements were with reference 
to this datum.™ The program then reported the diameter of the feature and 
compared it to the nominal size and allowable tolerance. 


The next feature to be measured was the interference bore, the diameter and the true 
position of which were measured and reported. The positional tolerance in the 
program code at that time was (20.50 mm.” 


The CMM then moved on to measuring the clearance hole in the outer hub, 
measuring the diameter and reporting its true position. Both the program and 
example report showed that the CMM was programmed with a positional tolerance 
of (20.20 mm. 


84 The CMM maintained a datum until it was redefined. 


55 [n December 2007, to better reflect the intent of the design definition, the CMM program was 


revised to reduce the positional tolerance to (20.05 mm. 
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Observations: 


The datum used by the CMM did not reflect the datum referenced on either the design 
definition or manufacturing stage drawings, but was consistent with the intention for a 
manufacturing datum that replaced datum AA. 


The true position of the inner hub counter bore (datum M) was not specified relative to 
any datum on either the design definition or manufacturing stage drawings. It appeared 
that the positional tolerances that were programmed into the CMM were obtained from 
the manufacturing stage drawings, because the values corresponded to the positional 
tolerances specified for those features, but the reference datum changed to datum M. 


The position of the interference bore was neither measured, nor calculated, relative to 
datum AA as required by the design definition and manufacturing stage drawings. 
Although this would not have assisted with the determination of the resulting oil feed 
stub pipe wall thickness, it showed that the inspection method did not provide 
verification, on an ongoing basis, of compliance with the design definition. 


OP 230 Final inspection 


During the OP 230 final inspection, datum M was defined as the reference datum 
for the measurement of features in the oil feed stub pipe. The fine limit counter bore 
in the oil feed stub pipe was measured and the diameter and true position reported. 
The positional tolerance for the counter bore in the CMM program was (20.2 mm, 
which was consistent with the manufacturing stage drawing, but not the design 
definition. 


The CMM program did not include the measurement of a number of design 
definition features relating to the oil feed stub pipe counter bore. Those features 
were the: 


* depth of the fine limit counter bore 

* overall depth of the standard tolerance counter bore 
e diameter of the standard tolerance counter bore 

e max step feature. 

Observations: 


Detailed stress analysis carried out as part of the ATSB's investigation identified that the 
critical oil feed stub pipe characteristic was the wall thickness in the region of the fine 
limit counter bore (refer to section 2.5 of this investigation report). Although the oil feed 
stub pipe features measured by the CMM program did not reflect either the design 
definition or manufacturing stage drawings, the features that were best suited for 
calculating the wall thickness were measured. 


Because the true position of both the interference bore and the oil feed stub pipe 
counter bore were measured from datum M (at OP 70 and OP 230, respectively), a 
relationship between them could be determined. Had the CMM program reflected either 
the design definition or manufacturing stage drawings at OP 70, relative movement 
between the inner and outer hubs and the use of different datums for each 
measurement would have precluded such a relationship. Thus, the CMM program 
reflected the design intent better than the manufacturing stage drawings. 


Although these measurements were taken, they were not used by the engine 
manufacturer to determine the oil feed stub pipe wall thickness during the production of 
the HP/IP hub assemblies. 


Using the relationship generated by the CMM program measurements, the ATSB 
calculated that the minimum oil feed stub pipe wall thickness resulting from the 
manufacturing process, which could pass the CMM inspections, was 0.545 mm. 
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4.5 


4.5.1 


First article inspection 


The first article inspection of an assembly, or component, seeks to ensure that the 
manufacturing specifications and processes are capable of producing an item that 
conforms to the design definition. This inspection process typically involves the 
measurement of all of the features specified on the design definition drawings and 
their comparison with what was specified. 


Manufacturer's first article inspection procedures 


The engine manufacturer's procedure for the conduct of first article inspections 
stated that: 


The purpose of the First Article Inspection is to provide objective evidence 
that all engineering design and specification requirements are properly 
understood, accounted for, verified and documented. 


and defined the first article inspection as: 


A complete, independent, and documented physical and functional inspection 
process to verify that the prescribed production methods have produced an 
acceptable item as specified by engineering definition, planning, purchase 
order, engineering specifications, electronic model and/or other applicable 
documents e.g. manufacturing definitions as agreed by the IPT.*° 


The procedure also noted that the first article inspection will provide confirmation 
that: 


- allthe necessary documentation, equipment and controls are available and 
adequate for ongoing series production of the part, 


- the design and manufacturing procedures and processes are adequate and 
they have been fully utilised to produce the part, and 


- ‘closed loop’ verification that the part, as produced by the method 
examined during this activity, fully meets the design intent. 


There were no specific instructions in the procedure to describe how the inspector 
was to determine the 'design intent'. The procedure was aimed at showing that 
design intent was achieved by confirming that the ‘design characteristics’ of the 
part conformed to the design definition. The procedure defined design 
characteristics as: 


Those dimensional, visual, functional, mechanical, and material features or 
properties, which describe and constitute the design of the article and can be 
measured, inspected, tested, or verified to determine conformance to the 
design requirements... 


Associated with the manufacturer's procedure was a first article inspection report, 
which recorded the first article inspection and contained a checklist to facilitate the 
inspection. One item on that checklist required the inspector to answer (emphasis 
added): 


86 IPT — ‘Integrated program team’. A team that ‘consists of design, manufacturing engineering, 


manufacturing laboratory, process operators, manufacturing management and other relevant 
people.’ 
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4.5.2 


4.6 


Have all final engineering definition requirements been satisfied? 
(Dimensional, notes specifications etc.) 


The procedure defined a 'definition requirement' as: 


Requirements of the definition (including parts lists), specifications, electronic 
models or purchasing documents to which the article is made, including notes, 
specification, and lower-level definitions thereby invoked. 


The procedure also noted that *Observations, such as lack of drawing clarity, should 
be included' as an unsatisfactory item in the report. 


HP/IP hub assembly first article inspection 


The pre-production first article inspection of the HP/IP hub assembly was carried 
out by personnel at Hucknall Casings and Structures on 26 May 2005. The 
signatures on the first article inspection report cover page showed that the 
integrated program team lead was a manufacturing engineer. During the inspection, 
the inspector annotated a set of drawings with the measurements taken, and attached 
those drawings to the report. These drawings were predominantly the 
manufacturing stage drawings. 


The manufacturing stage drawing that contained the detail of the interference bore 
in the inner hub was annotated with the inspector's measurements. Both the 
diameter of the interference bore and its position, with respect to datum AA, were 
measured. As per the drawing, only the diameter of the inner hub counter bore was 
measured. 


The first article inspection report also included the design definition drawing that 
specified the oil feed stub pipe counter bore. However, there were no measurements 
on that drawing, only references to the corresponding manufacturing stage drawing. 
The annotations on the manufacturing stage drawing showed that the size of the fine 
limit counter bore and its position with respect to datum M were measured and 
within limits. The max step feature was also measured and found to be within 
limits. 


Observations: 


The use of the manufacturing stage drawings in the first article inspection of the HP/IP 
hub assembly showed that the manufactured part conformed to those drawings. It did 
not show that the manufacturing processes were capable of producing an item that 
conformed to the design definition, as was the intent of the first article inspection. 


Because the relative location of datum M was not measured with respect to either datum 
AA or the interference bore, the ATSB was unable to determine the minimum wall 
thickness for the assembly that was examined in the first article inspection. As such, it 
could not be determined from the measurements taken if the first article met the design 
intent. 


Features that were missing from the CMM program, such as the 'max step' feature, 
were measured during the first article inspection, indicating that the measurements were 
taken manually, rather than from the automated CMM program. 


UK CAA Regulatory oversight 


The legislation that provided European Union National Aviation Authorities 
(NAA), such as the United Kingdom Civil Aviation Authority (UK CAA), their 
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model for airworthiness regulation was EU Commission Regulations (EC) 
1702-2003. Specifically, in the case of an engine manufacturer within the NAA's 
jurisdiction, Part 21 Subpart G titled ‘Production Organisation Approval’ and 
Subpart J titled ‘Design Organisation Approval’. Both subparts establish the 
procedures for approval issuance through ensuring conformity of products, parts 
and appliances with the applicable design data and set out the rules governing the 
rights and obligations of holders of such approvals. 


In exercising the privileges of these approvals, the approvals holder must ensure 
they perform certain functions as set out in the exposition? they submit to the 
NAA. One of the requirements of the exposition is a submission of a description of 
the approval holder’s quality system and procedures. The requirements for the 
quality system are defined within Part 21 as: 


The production organisation shall demonstrate that it has established and is 
able to maintain a quality system. The quality system shall be documented. 
This quality system shall be such as to enable the organisation to ensure that 
each product, part or appliance produced by the organisation or by its 
partners, or supplied from or subcontracted to outside parties, conforms to the 
applicable design data and is in condition for safe operation, and thus exercise 
the privileges [of the approval]. 


The quality system shall contain ... an independent quality assurance function 
to monitor compliance with, and adequacy of, the documented procedures of 
the quality system. This monitoring shall include a feedback system to the 
person or group of persons nominated by the production organisation to 
ensure that the organisation is in compliance with the requirements of this 
Part, and ultimately to the accountable manager to ensure, as necessary, 
corrective action. 


Under this model of regulation, the UK CAA established oversight of the engine 
manufacturer and confirmed compliance through monitoring of its quality assurance 
functions. This was achieved through a program of regular audits and surveillance, 
whereby the engine manufacturer’s nominated personnel and accountable managers 
demonstrated to the UK CAA compliance with the terms of their exposition. 
Demonstration of compliance was achieved through presentation of evidence from 
a sample specified by the regulator. This program was designed to verify the 
effectiveness of the quality assurance function within the quality management 
system (refer to definition of quality assurance at 4.7.2). 


The regulator’s audits did not replace an internal auditing program within the 
production organisation’s quality management system, but supplemented and tested 
that system. The regulator was not responsible for checking that individual parts 
conformed to the approved design, but rather checked that the quality management 
system had effective processes for identifying and managing product non- 
conformity. 


The ATSB reviewed the role of the UK CAA regarding regulatory oversight of the 
manufacturer and determined that the UK CAA had maintained a regular audit and 
surveillance program which sampled functions and processes within the 
manufacturer’s quality management system. 


87 A document that defines the organisation and procedures upon which the manufacturer's 


regulatory approval is based. 
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4.7 


4.7.1 


4.7.2 


4.7.3 


Quality management system 


A manufacturing organisation's quality management system is a structured and 
documented system to direct and control the quality of an organisation's activities. 
A quality management system invariably comprises quality control and quality 
assurance processes. These are designed to satisfy all customer, regulatory and legal 
requirements with regard to quality standards in manufacturing. 


Quality control 


Quality control is that part of quality management focused on fulfilling the quality 
requirements.” It is a system of technical activities whose purpose is to measure 
and control the quality of a product or service so that it meets all customer, 
regulatory, legal and business requirements. It includes complete or approved 
sample inspection of a product prior to dispatch or release to the next stage in the 
manufacturing line. Quality control can include the use of appropriate statistical 
methods to ascertain that a product falls within specified quality limits, with a 
predetermined degree of confidence based on sample size. 


Quality assurance 


Quality assurance is that part of quality management focused on providing 
confidence that quality requirements will be fulfilled. It relates to the capacity of an 
organisation to monitor its own activities, so that it may remain confident that its 
products fall within specified quality limits, with a predetermined degree of 
confidence. 


Quality assurance relates to the establishment and maintenance of procedures to 
ensure the consistency of an organisation in the realisation of its product. The 
quality assurance process can traditionally be seen in the assessment of the 
documented procedures for completeness and accuracy, and the organisation's 
compliance with those procedures. 


The manufacturer's quality management system 


The engine manufacturer had a production organisation approval from EASA and 
also organisational approvals for ISO 9001:2008*? and AS/EN 9100.?? Approval to 
both these standards was via audit and oversight from an approved, independent 
third-party organisation. All of these approvals required the manufacturer to 
maintain a quality management system. Due to the size of the organisation, the 
manufacturer's quality management system comprised of a large number of 
individual processes and procedures covering their business divisions and range of 


88 British Standard BS EN ISO 9000:2005 Quality Management Systems — Fundamentals and 
vocabulary 


89 [SO 9000 is a series of standards to assist organisations develop an industry accepted QMS. The 


set of standards were published by the International Organisation of Standardisation (ISO). 


9 This standard was created by the International Aerospace Quality Group (IAQG), with 


representatives from companies in the Americas, Asia/Pacific and Europe. This standard 
incorporates the requirements of ISO 9001:2008 and several additional industry requirements and 
definitions. 


— 105- 


4.7.4 


4.7.5 


products and services. Only those parts of the quality management system that were 
directly related to the uncontained engine failure were reviewed by the ATSB. 


The quality management system processes and procedures of interest were 
contained within the group quality procedures. The procedures that were directly 
applicable to the uncontained engine failure were those for the first article 
inspection and non-conformance management. The applicable details from those 
processes are contained within this report. 


Product quality controls 


The engine manufacturer's quality control for produced parts did not rely on 
random sampling, instead it was carried out individually on each part produced. 
This included the inspections and CMM measurements previously described. 


To assist in the quality control of each item and in the higher level quality assurance 
processes, such as internal auditing, the quality management system required 
detailed record keeping. The primary quality control record for each assembly was 
the ‘batch card’. These cards included a sequential list of each of the operations 
required in the production of the part. That list was laid out as a table that included 
columns for information regarding the completion of each operation (Figure 79). 


Insp or | Date Op [sron 
Op Cert | Completes*r; 


Figure 79: Excerpt from a sample HP/IP hub batch card 


TIMES Operation Group/Pat Op R ource Qty 
Op/Suf fix/Keywd P Bock Op Cert ype L 


HCASMARSHL - 


FE ERE SAL Y 


MARSHALLING OPERATION 


0001 MARSHL 


3536F1T0602- 


0010 FIT puppe EE HS i Y 


FIT 


Any manufacturing documents or records associated with the compliance or non- 
compliance of the part were required to be retained. The period for which they were 
to be retained was defined in the group and local quality management system, 
depending on the document or record type. This could include inspection, 
correction, non-conformance and rectification work records. 


The manufacturer's quality assurance function 


The manufacturer's quality assurance function included procedures, processes and 
documentation to ensure the correct and accurate manufacture, release and 
recording of engines, sub-systems and components in accordance with aviation 
safety rules and regulations. Ensuring that staff adhered to procedures, conducted 
processes properly and documented their actions appropriately was also part of the 
quality assurance system. 


The manufacturer had a systems-based auditing program. The program included 
assessments of documented procedures for compliance with minimum standards, 
and the comparison of organisational and individual behaviour against the 
documented procedures. 
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4.8 


Non-conformance management 


The manufacturer had a process for the management of non-conforming parts 
within their group quality procedures. A non-conformance was defined in the 
process as: 


Any aspect of a product which does not conform to the drawings, 
specifications or customer requirement. 


When a non-conformance was identified, the process required that the 
non-conformance was recorded, contained (by segregation and/or marking to 
identify it as a non-conforming part) and sentenced.?' The basic procedure for 
sentencing a part followed the process presented in Figure 80. 


Figure 80: Basic non-conformance management process 


Non-conforming 
part identified 


May require reporting and 
management of safety 
aspects if parts have been 
released to service (refer to 
section on Safety Alerts) 


Contain 
non-conformance 


Can it be Rework by repeating 
reworked? previous operations 


Can it be Raise a 
concessed? concession 


S concession 
acceptable? 


Salvage Rework, repair/ 
required? salvage or rectify 


Allow to proceed 


A term used by the manufacturer where the Technical Authority determined that a non- 
conforming part was acceptable for use or required rectification or scrapping. 


91 
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4.8.1 


4.8.2 


Identification of a non-conformance 


A non-conformance could be identified at a number of stages during the 
manufacture of a part, but was most typically identified during one of the inspection 
operations (for example, OP 230 during the manufacture of the HP/IP bearing hub 
structure). When a non-conformance was identified, a document referred to as a 
CT17 was raised to record information relating to the non-conformance. Each CT17 
was individually numbered and a reference to that number was required to be 
recorded on the non-conformance history for the part. The CT17 number was also 
to be recorded on the batch card in the row corresponding to the operation where 
the non-conformance was identified (Figure 81). 


Figure 81: Example of CT17 reference annotation on batch card (highlighted 
with red dashes) 


353TXRAYS797- 


eo xe IDEN 0008 00 


RAY 1 72 $494 -57 S 


Containment of non-conforming parts 


The management of non-conforming parts procedure included a section on the 
containment of parts that are found, or suspected to be, non-conforming. That 
section referred to the procedure for ‘problem resolution’ and included instructions 
on how to manage containment of the non-conforming product. The problem 
resolution process defined containment as: 


A series of activities to restrict the further effect of an identified problem. 
Containment involves: 
- The location and quarantine of problem product(s) or service(s) 
- A programme of customer protection: 
- To prevent further delivery of the problem product(s) or service(s) 
and/or 


- To significantly reduce the likelihood of product(s) in-service 
impacting the customer 


Containment could also involve revised operating instructions for the product 
or service, where these actions are intended to reduce the effect of the 
problem until a full solution is introduced. 


The manufacturer’s basic process for containment was to: 
e define the problem 
*  prioritise the containment 
* agree containment actions and timescales/ownership 
* execute the agreed containment actions 


e record and monitor those actions 
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4.8.3 


The manufacturer's guidance material for the problem resolution process included 
the following items under the heading ‘Contain the problem and protect the 
customer’: 


e Complete Containment Check Sheet ... 
e Find and quarantine all affected parts already produced: 
O intransit 
o stores stock, despatch 
O despatched to customer 
O work in progress 
o at sub-suppliers. 


Associated with the procedure was a ‘48hr Containment Check Sheet’, which 
included tick boxes that prompted the required steps in the procedure. The first item 
on the check sheet was for the containment action owner to ‘Identify and locate all 
suspect material / parts in the supply chain...’. A series of tick boxes was provided 
to assist in locating the suspect material (Figure 82). There was no tick box for parts 
that had left the direct control of the manufacturer, such as parts already released to 
the customer, or agent, for use on in-service engines. 


Figure 82: Location tick boxes in the manufacturer's containment check sheet 


In Transit | | Work in progress | 


Despatch / Shipping area | | At sub-tiers | 


Stores stock | | 


The problem resolution procedure made reference to the ‘Resolve Customer Issues’ 
process where ‘external customers have been, or are likely to be, directly impacted 
by a problem...’. Problems identified by the manufacturer that could affect a 
customer included the release of non-conforming parts, referred to as ‘escaped’ 
parts. 


Safety alerts 


During the procedure for the control of non-conforming product, the process 
referred to a separate group quality procedure when *... there is potential Aerospace 
external impact'. That separate procedure, entitled The identification/reporting and 
management of safety events and hazards for aerospace products, required the 
manufacturer's departments to: 


ensure that any engine component, material or design condition which might 
be considered a safety issue is made known to the relevant Airworthiness 
department via the submission of a completed SAR. 


The safety alert report (SAR) was ‘fundamentally to identify and communicate 
safety concerns for sentencing as either an unsafe condition or for rejection.’ If it 
was determined to be an unsafe condition, further action was taken to address it. 


There were a number of instances where a safety alert report could be raised. This 
included in the case of an: 
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4.8.4 


Unapproved non-conformance that is subsequently identified to have been 
released via an Authorised release certificate ... and which will not be 
approved by a retrospective concession application will form the subject of a 
SAR. 


Under the procedure, a safety alert report could be raised by any person within the 
organisation when they identified a potential ‘safety issue’. When such a report was 
raised, it was submitted to a ‘focal point’ within the airworthiness department, for 
consideration. If the focal point considered that there was a potentially unsafe 
condition, the report would be sent to the Chief Engineer for sentencing. The Chief 
Engineer would then determine whether the issue constituted an unsafe condition. If 
an unsafe condition was identified, the Chief Engineer was responsible for initiating 
the appropriate containment and corrective actions, based on a fleet-wide risk 
assessment. If it was determined to not be an unsafe condition, the safety alert 
report would be formally rejected, together with reasons for the rejection. 


Observations: 


The safety alert report process provided two levels of consideration as to whether the 
release of a non-conforming part constituted an unsafe condition before any actions 
were taken — the focal point and the relevant Chief Engineer. The Chief Engineer, who 
had a responsibility for the service of the fleet, provided a fleet-wide risk perspective to 
the decision and response to any identified unsafe conditions. However, this first 
required somebody within the organisation to identify that there was a potential safety 
issue and raise a safety alert report. 


Concessions 


Manufactured parts that did not conform to the product specification, and where 
rework of the part (by repeating the previous operations) would not result in 
conformance, were subjected to a ‘concession’ process. The purpose of the 
concession process was to determine if the non-conforming part was acceptable for 
use, or what work was required to either make it conform or to bring it to a state 
where the non-conformance was acceptable. That work could be in the form of 
rework, rectification or repair/salvage. The group quality procedure for the 
concession process defined these actions as follows: 


Rework Use of a sequence of approved operations in an attempt to 
return non-conforming product to a state that conforms 
completely to the drawing definition, specifications or 
customer requirements. This may entail the use of repeat 
standard router operations. 


Rectification Use of a sequence of approved operations that are not repeat 
router operations, in an attempt to make non-conforming 
product conform completely to the drawing definition, 
specifications or customer requirement. 


Repair/salvage Use of a sequence of operations to reduce, but not 
necessarily completely eliminate product non-conformance. 
The purpose of repair/salvage is to return non-conforming 
product to an acceptable condition, which may not 
completely conform to the original drawing definition, 
specification or contract requirement. 


—110- 


The procedure also noted that: 


The process described ensures that a concession application has the correct 
level of authority at all stages of its progress. 


The manufacturer's Training Guide for the concession process provided guidance 
on the completion of the concession form and defined a concession as: 


The authorisation to use, release or supply a limited quantity of a completed, 
or partially completed, product which does not comply with the specified 
technical requirements. 


and stated that: 


Records of non-conformance shall clearly define the deviation to specification 
such that it will readily permit the authorising signatories to make judgement, 
allow technical audit and facilitate a reasonable understanding by 
non-specialists in the field (e.g. a customer). Any supporting data shall be 
referenced in a manner that permits ready recovery. 


All concession applications shall be submitted with sufficient background 
information (including Corrective Action Plans/Reports, root cause analysis 
and if the concessed part will be subject to First Article Inspection Report 
(FAIR)), to allow the authorising signatories to make a judgement. 


The concession application must register one part number per concession, 
except where action is necessary to cover raw material or metallurgical/ 
chemical processes, the final usage of which may involve a range of finished 
parts ... 


The concession application must never be used to circumvent another part of 
the [manufacturer's] Quality Management System. 


To ensure that a concession application was fully considered by all of the 
appropriate people, there were a number of signatures required. Those signatures 
included the person who raised the concession, the Non Conformance Authority, 
the Manufacturing Engineering Manager (or authorised nominee) and other 
functional areas. The Non Conformance Authority was defined as: 


...individuals granted the authority to review and authorise non conformance 
in terms of fit, form and function of any level consistent with the scope of the 
authority granted (i.e. component/engine types/whole engine). 


The Non Conformance Authority was responsible for sentencing the concession and 
determining which functional areas needed to be consulted in support of this 
judgment. An additional signatories sheet formed part of the concession and 
included a list of functional areas, with a number of blank lines below the list. The 
Training Guide noted that the list of functional area signatories was: 


...hot intended to be extensive, so if signatures are required of functions not on 
the list, then use the blank spaces provided. 


The additional signatories sheet included spaces for the consulted functional area to 
annotate their decision regarding the concession, their categorisation of the 
concession and their signature. 


Concessions were categorised according to the impact of the non-conformance. 
Appendix 1 to the group quality procedure provided information on the 
categorisation of concessions and defined three categories for production non- 
conformances as follows: 
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* Category 1 (Cat 1) was defined as a major non-conformance that was 
considered to adversely affect the component and impact on the customer. 
Such non-conformances could affect, amongst other things, the reliability, 
life, or performance of the affected part or component and would therefore 
result in limitations to its in-service use, invoke its non-routine repair, or 
otherwise cause concern to the customer. 


* Category 2 (Cat 2) was defined as a minor non-conformance that required 
identification to users within the manufacturer. A Cat 2 non-conformance 
may have associated conditions that require non-scheduled checks, tests or 
measurements during the remaining manufacturing operations, but would 
otherwise generally not affect the customer. 


* Category 3 (Cat 3) was defined as a minor non-conformance that was not a 
Cat 1 or Cat 2 non-conformance and would therefore have no limitations or 
conditions on its use. 


Under the heading of ‘Reporting’, the procedure required that: 


Significant non-conformance and the effective closure of corrective actions 
shall be reported to, and monitored by, the appropriate Quality review board 
or equivalent. 


There was no information in the group quality procedures, associated appendices or 
training guide that provided any guidance on what constituted a ‘significant’ non- 
conformance. 


Retrospective concessions 


The concession process permitted the retrospective application of concessions to 
parts that had already been released into service. The process was the same as for a 
normal concession except for the following additional requirements: 


With approval of the relevant Chief Engineer and Business Quality Director, 
or equivalent, to cover exceptional circumstances, where a product is found to 
be in service and while deviating from specification, remains fit for purpose, a 
retrospective concession may be raised to permit continued operation. 


Consideration must be given as to whether a Safety alert report should be 
raised. 


Businesses must keep a record of occurrences of retrospective concessions for 
audit purposes. 


There was no specific guidance in either the Training Guide or appendices to the 
group quality procedure on the additional requirements of the retrospective 
concession. Similarly, neither the concession process nor the Training Guide 
specified at what point in the process the Chief Engineer or Business Quality 
Director were to be involved in the retrospective concession approval process. The 
engine manufacturer reported that their interpretation of the process was that the 
Chief Engineer was to be the final signature approving the retrospective concession. 


The manufacturer also reported that at the time of the uncontained engine failure, 
Hucknall Casings and Structures did not maintain a separate register of 
retrospective concessions. Instead, retrospective concessions were recorded as part 
of the register of all concessions. There was nothing within the concessions register 
to note that a concession was retrospective. 
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Observations: 


The standard concession form (including the additional signatories sheet) did not 
contain specific places for the signatures of the Chief Engineer or Business Quality 
Director. Although these could have been placed in the blank spaces on the additional 
signatories sheet, there was nothing obvious to prompt the Non Conformance Authority 
to obtain those signatures. In addition, the form did not require the annotation of a 
concession as being retrospective. 


The retrospective concession process, as used by the engine manufacturer, did not 
involve the Chief Engineer until the final step in the process. This meant that the 
concession was treated in the same manner as a routine concession and that a fleet- 
wide risk assessment was not carried out until all the steps in the routine concession 
process was complete. 


Quality Review Board 


The Quality Review Board's function, according to the manufacturer's group 
quality procedure, was to monitor and ensure effective closure of corrective actions 
relating to significant non-conformances. The terms of reference for Quality 
Review Boards (also termed Directors Quality Boards) were contained within the 
manufacturer's Quality Manual. The manual stated that the terms of reference of a 
quality review board were: 


Presidents, Managing Directors or functional heads of the businesses chair the 
(board) meetings with membership comprising nominated line personnel. 
Meetings are to be held at least three times per year. 


The boards are responsible for reviewing: 


a) Effective implementation of the manufacturer's quality policy and 
objectives, 

b) Achievement of product and service quality, 

c) Implementation and effectiveness of the quality system, 

d) Compliance with the quality system, 

e) Continuous improvement initiatives, 

f) Issues from, or for other boards, 

g) Application of best practice. 


The input to quality management reviews should include information about: 


a) Results of audits, 

b) Customer feedback, 

C) Process performance and product conformity, 

d) Status of preventive and corrective actions, 

e) Follow-up actions from previous management reviews, 

f) Changes, including legal and regulatory items, that could affect the 
quality management system, 

g) Recommendations for improvement. 


The output from the quality management reviews includes any decisions and 
actions related to: 


a) Improvement of the effectiveness of the quality management system 
and its processes, 

b) Improvement of product related to customer requirements 

C) Resource needs. 


The engine manufacturer held a number of quality review boards, each convened at 
a local supply chain unit level. Such a board was regularly held at Hucknall Casings 
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and Structures. The composition of this board included the Manufacturing Manager, 
Manufacturing Engineer Manager, a statistical process control expert, Quality 
Manager, Supply Chain Unit Head of Manufacturing Engineering and Supply Chain 
Unit Quality Executive. 


The manufacturer reported that the board did not perform a quality review of 
individual quality issues regarding process performance and product conformity. 
Instead their responsibilities included the monitoring of the progress of activities 
relating to significant non-conformance when reported to the board. These activities 
would be discussed in terms of the management of the actions required to progress 
the issue to closure. 


Engine hub assembly that was involved in the 
uncontained engine failure 


Manufacture 


The manufacturing records for the HP/IP hub assembly from ESN 91045 showed 
that it was manufactured at Hucknall Casings and Structures between April and 
June 2006. The HP/IP hub assemblies were not allocated a specific serial number, 
but were identified by a unique number applied to the hub castings. The 
identification number for the HP/IP hub assembly from ESN 91045 was 0225. 


The batch card for hub 0225 was reviewed by the ATSB and it was found that all 
relevant manufacturing operations (OPs) and the inspections at OP 70 and OP 230 
were certified as complete. Each of the inspections was carried out by different 
inspectors. 


The CMM reports for the OP 70 and OP 230 inspections were not attached to the 
batch card. The manufacturer reported that the CMM reports for hub 0225, and a 
number of other hub assemblies from around that time, had not been retained. 


There were no non-conformance CT17 form references in either the non- 
conformance history or the individual inspections, to indicate that a non- 
conformance had been identified with hub 0225 at either OP 70 or OP 230 (Figures 
83 and 84). There was one CT17 reference (10-059330) that was listed on both the 
batch card and non-conformance histories, regarding a non-conforming weld 
identified at OP 90. The manufacturing records for hub 0225 contained details 
regarding the rectification of that non-conforming weld and no concession was 
required. 
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Figure 83: Excerpts from hub 0225 batch card 
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There were no concessions attached to the batch card and a review of the register of 
concessions found that none were issued against hub 0225. 


Dimensional examination of the oil feed stub pipe 


A dimensional examination of the oil feed stub pipe from hub 0225 was carried out 
by the ATSB. That examination found that the (Figure 85): ”” 


* true position of the interference bore with respect to datum M was between 
(20.90 and (20.98 mm 


* true position of the oil feed stub pipe fine limit counter bore with respect to 
datum M was between (20.00 and (20.83 mm 


* step between the drilled and reamed counter bores in the oil feed stub pipe 
varied between 0.0 and 0.55 mm. 


The diameters of the interference bore and the counter bores were all of the correct 
size and within tolerance. 


92 Both the oil feed stub pipe and the inner hub bore were subjected to significant temperature and 
force during the engine failure. As a result, the surfaces were subjected to scoring, distortion and 
fracture. The measurements taken reflect the post-event state of the components. Along with the 
measurement uncertainties, an estimate of the level of uncertainty has been included in the range 
of the measured true positions provided. 


—115- 


4.10 


4.10.1 


Figure 85: Graphical representation of the true positions of the bores and 
datum M on the oil feed stub pipe from hub 0225 
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Observations: 


When hub 0225 was manufactured, the true position of the interference bore was 
probably in excess of the limits contained within the CMM program for the OP 70 
inspection. Given the extent of the deviation of the as-measured true position from the 
acceptable tolerance, it would have been expected that the CMM detected the 
difference and produced an error on its report. The expected error was estimated to 
have been in the range from (20.40 to 20.48mm. 


Due to the greater uncertainty in the measurement of the true position of the fine limit 
counter bore; there is uncertainty as to whether the CMM would have produced an error 
at OP 230. The CMM report for the oil feed stub pipe fine limit counter bore could have 
ranged from having no error message, up to an error of around 20.63 mm. 


Because the CMM reports were not retained by the manufacturer, the ATSB was unable 
to positively determine whether any errors were produced and/or recorded at the time. 


Although the step between the drilled and reamed (fine limit) counter bores was outside 
the limit specified in the drawings, it was not measured as part of the CMM program and 
was thus a missed opportunity to detect the non-conformance. 


Major quality investigation 


Background 


The manufacturer's quality management system included a function for carrying 
out an internal major quality investigation when an event was identified that 
affected cost, quality, reputation or customer satisfaction to a significant degree. 


In February 2007, a major quality investigation into one of the manufacturer's other 
facilities at Inchinnan, UK was completed.” The findings of that investigation 
included that: 


... there were instances where the process of non-conformance sentencing did 
not follow the required authorisation. i.e. local acceptance of dimensional 
non-conformance by non-approved personnel ... 


93 The manufacturer's facility at Inchinnan produced a number of other gas turbine engine 


components, including compressor blades. None of those parts directly related to the manufacture 
of the HP/IP hub assembly, but the major quality investigation was the initiator for later events at 
the Hucknall facility. 
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... Production Assembly Operations [were] audited and low levels of minor 
non-conformance (differences between drawing limits and quality acceptance 
standards and perceived measurement variability) [were] being accepted 
locally without concessions being raised ... 


... Inspection records from [the] CMM inspection process were not kept in 
line with the requirements of the EASA part 21 standards ... 


The primary factors behind those findings that were identified by the investigation 
included: 


Informal acceptance of non-conformance by ... shift supervisors 
Operator component and concession familiarity 


The manufacturer reported that ‘concession familiarity’ was a local rule” whereby 
personnel would take it upon themselves to allow minor non-conformances to pass, 
as experience had led them to believe that the concession approval process would 
not fail an item, and was therefore a waste of time. 


A follow-up action to the Inchinnan major quality investigation was to ‘read across’ 
the lessons learned other business units.” 


Hucknall major quality investigation 


In June 2007, two separate audits were carried out at the manufacturer's Hucknall 
facility in the UK. As a result of the audit findings the manufacturer launched a 
major quality investigation of Hucknall facility. The investigation defined the 
problem as: 


... inspection records from the CMM inspection process were not kept in line 
with the requirements of the EASA part 21 standard ... 


Follow up actions to capture and review inspection records from the CMM 
over a 2 week period showed that there were high levels of non-conformance 
identified on the inspection reports that was not completely captured through 
the formal non-conformance management procedure ... 


The audit report also identified issues with the effective implementation of 
other key read across actions from [the Inchinnan major quality 
investigation] ... 


As a consequence of the Hucknall investigation, the delivery of parts from Hucknall 
was stopped until the key elements of a revalidation and containment program were 
completed at the facility. Part of the containment actions was to cover the 
undeclared non-conformances with retrospective concessions. The manufacturer 
reported that because of the lack of CMM reports, retrospective concessions would 
be raised when it was identified that there was an undeclared non-conformance. 


9% The perceived optimisation of a process taken by a person, or group, through the use of shortcuts 


and expectation-driven actions. 


3 During a read across from a major quality investigation, other business units were required by the 


company to implement any changes applicable to their operations as a result of the subject 
investigation's findings. 
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Observation: 


The Hucknall major quality investigation appeared to be focussed on preventing the 
further release of parts with undeclared non-conformances and approving the released 
parts by retrospective concession, if and when they were identified to be non- 
conforming. There was no evidence of an attempt by the manufacturer to accurately and 
reliably determine the conformity, and hence airworthiness, of parts that had left the 
facility and were in service. 


The manufacturer's investigation found that the high level of undeclared non- 
conformance at Hucknall existed because the facility's management had not 
effectively read across the actions from the Inchinnan major quality investigation. 
The Hucknall investigation also found that the ineffective read across was primarily 
because at the time ‘There was not a strong focus on quality within the business’. 


In 2007, the manufacturer conducted a cultural survey of staff within another supply 
chain business unit located within the Hucknall facility. The survey was established 
as an organisation development action to highlight any underlying cultural issues 
and was referred to in the Hucknall major quality investigation as part of the 
implementation of corrective actions. The survey was not conducted as a formal 
part of the investigation and did not include the Transmissions, Structures and 
Drives staff at Hucknall that manufactured the HP/IP structure. 


The cultural survey was conducted by holding a series of focus groups with 
representatives from leadership, machine operators, engineers, and inspectors to get 
their views. This was supplemented by asking individuals involved to anonymously 
complete an organisational culture assessment that was developed by an external 
company. 


The manufacturer reported that the cultural survey identified genuine concern for 
product quality and did not discover evidence of intentional violations of 
procedures. The cultural survey identified that the issues emanated from different 
views or a lack of broader, shared understanding about what was expected from 
quality and inspection processes. The focus group discussions centred on several 
key themes covering: 


e doubts about the inspection process 
e the need for structure and order 

e the ‘golden past 

e focus on delivery to the customer. 


The output was used as part of a briefing for all Hucknall employees, including 
those in the Transmissions Structures and Drives unit to heighten quality awareness. 


In response to the findings of the Hucknall major quality investigation, the 
manufacturer took a number of actions. These included retraining relevant Hucknall 
personnel in the requirements of the non-conformance process and education on 
why it was important to follow the procedures. In addition, the Inchinnan major 
quality investigation ‘read across’ was reintroduced into the Hucknall facility, the 
quality governance processes were amended and there were a number of 
organisational changes made. 
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Regulatory oversight 


In accordance with the requirements of their Production Organisation Approval, the 
manufacturer briefed the UK CAA in respect of the results of the major quality 
investigation at the Inchinnan facility and was subjected to special audits by the 
regulator. The UK CAA’s regular surveillance of the manufacturer was also 
increased during the review period following the Inchinnan investigation. 


The Hucknall major quality investigation disrupted production at the facility and 
required a comprehensive re-training program in key areas of non-conformance 
management and production records management. The manufacturer worked with 
the UK CAA during that process and was subjected to special audits by the 
regulator. 


Concession review 


A review of the manufacturer's concessions register found that, between February 
2006 and July 2007, there was only one concession raised for the Trent 900 HP/IP 
assembly. Thirty-two assemblies were produced in that period. In contrast, there 
was a significant increase in the number of concessions raised on the HP/IP 
assembly following the Hucknall major quality investigation in 2007 (Table 11 and 
Figure 86). 


Table 11: Hucknall facility HP/IP support assembly concessions 


Year No. produced | No. of concessions | No. scrapped 
2006 32 0 2 
2007 14 15 0 
2008 53 29 4 
2009 35 7 1 
2010 70 62 6 


Figure 86: Hucknall facility HP/IP support assembly concessions 
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The ATSB reviewed a number of concession forms raised at Hucknall after the 
major quality investigation. Each of those concession forms listed a number of non- 
conformances. The ATSB’s review identified that those non-conformances included 
one relating to the oil feed stub pipe features. 


Post-major quality investigation concessions 


The concessions that were raised following the Hucknall major quality investigation 
identified a non-conformance in relation to the location of the four interference 
bores in the inner hub for the oil feed, vent and scavenge stub pipes. The non- 
conformance was listed on one of those concessions forms as: 


Hole positions at 4 stations identified PD, PJ, PE, PF [Oil feed, vent, 
scavenge, and vent positions, respectively] are up to 0.298 [mm] from True 
position. 


There was no specification in the concession as to which datum was used to 
reference the true position. 


Annotated with the non-conformance description was a note stating: 
A min gap of 0.85 [mm] has been achieved at all positions. 


The results from a wire gauge check of the clearance between the respective stub 
pipes and the outer hub clearance hole were attached to the concession 

(Figure 87).°° Those results showed a consistent clearance around the pipe, 
indicating that the pipe was centrally located within the outer hub clearance hole. 


Figure 87: Wire gauge check 
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The concession was reviewed and accepted by design, stress and air/fluid systems 
engineers and categorised as a Cat 3 non-conformance. The categorisation of non- 
conformances was discussed in section 4.8.4 of this investigation report. 


Observations: 


In sentencing those concessions, the non-conformance authority was required to 
compare the stated non-conformance with the specification on the design definition and 
assess the effect on the part's form, fit and function. Because the drawings referenced 
the true position of the interference bore for the oil feed stub pipe to datum AA (which 


% A wire gauge check consisted of inserting wires of a known size into the gap to determine the size 


of the gap. 
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was the outer hub clearance hole), the only indicator to the non-conformance authority 
was that there was a possible clearance issue where the stub pipe passed through the 
outer hub. 


Both the manufacturing engineer who prepared the concession form and the non- 
conformance authority would have been unaware that the CMM had actually measured 
the true position of the interference bore relative to datum M, not datum AA as listed on 
the design definition (Figure 88). Given that the results of the wire gauge checks 
indicated that there was not a clearance issue, it was reasonable for the non- 
conformance authority to have determined that the non-conforming part was acceptable 
for use and to have approved the concession without understanding that there was a 
potentially thin wall on the stub pipe. 


Because the manufacturing stage drawings also showed the position of the interference 
bore relative to datum AA, reference to those drawings during the preparation and 
sentencing of the concession would not have provided any further indication of the 
possible reduction in wall thickness. 


Figure 88:Differences in the interference bore reference datums 
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HP/IP bearing support assembly production 
standards 


At the time of the uncontained engine failure, there were three production standards 
for the HP/IP bearing support assembly, all of which were operating within the 
Trent 900 fleet. The different standards were identified as separate part numbers 
and were referred to as the A, B and C standards. ESN 91045 contained an A- 
standard HP/IP bearing support assembly. 


The A-standard assembly was the initial production standard and a total of 38 units 
were produced between 1 February 2006 and 13 July 2007. Initially there was no 
life limit on the assembly but, following the discovery of a defect in the weld that 
secured a vent pipe to the outer hub on a development engine, a 2,000 cycle life 
limit was applied to A-standard bearing support assemblies. 


The B-standard assembly was manufactured between 13 July 2007 and 11 March 
2009, with a total of 67 units produced in that time. There were no differences 
between the A- and B-standards regarding the oil feed stub pipe. Following the 
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discovery of a manufacturing quality issue in the B-standard support struts, a 
14,800 cycle life limit was applied to the B-standard assembly. 


The C-standard assembly had been in production since 20 March 2009 and was the 
current production standard at the time of the uncontained engine failure. Initially, 
there were no differences between the A-, B- and C-standards regarding the oil feed 
stub pipe; however, after producing six units, the reference datum for the oil feed 
stub pipe counter bore in the C-standard assembly was changed to the inner 
diameter of the stub pipe. 


Manufacturing improvement and datum change 


In March 2008, while the B-standard HP/IP bearing support assembly was still in 
production, a definition alteration request was raised by Hucknall Casings and 
Structures at the request of Manufacturing Engineering. The reason for the request 
was listed as: 


Manufacture of the Trent 900 HP/IP structure as it is currently defined is not 
possible without the use of concessions. 


The definition alteration request listed the requested definition changes and 
included a proposed change in the reference datum for the counter bore in the oil 
feed stub pipe. This included the introduction of a new datum (AF) and a request to 
change the positional tolerance reference from AA to AF. Datum AF was defined as 
the inner surface of the oil feed stub pipe (Figure 89). 


Figure 89: Revised oil feed stub pipe counter bore definition 
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The definition alteration request was approved in April 2008 with the justification 
that the requested changes did not affect the design intent of the assembly (form, fit 
and function) and was to be incorporated into the next HP/IP bearing support 
assembly standard (the C-standard). The alteration request also contained a 
handwritten note indicating that it had been incorporated at the request of 
Manufacturing. The design definition drawing for the B-standard HP/IP bearing 
support assembly was amended in July 2008 to incorporate the requested changes. 


The change was not introduced into manufacturing until March 2009, which 
coincided with the introduction of new CMMs at Hucknall Casings and Structures. 
At that time, production of the B-standard HP/IP bearing support assembly had 
ceased and C-standard production commenced. The programs were rewritten for the 
CMM machines and the definition changes incorporated. 
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On 27 March 2009, while performing verification checks on the revised CMM 
program, a manufacturing engineer at Hucknall Casings and Structures identified 
that the counter bore on two previously manufactured HP/IP hub assemblies was 
out of position (or offset) by about (20.50 mm with respect to datum AF. Those 
counter bores had been measured with respect to datum M using the previous 
version of the CMM program and found to have been within tolerance. The 
engineer also identified the effect that the offset would have on the wall thickness 
of the oil feed stub pipe and brought this to the attention of their supervisor and a 
design engineer through discussion and an email. 


The email from the manufacturing engineer detailed the dimensions for the second 
non-conforming part and a calculation of the oil feed stub pipe wall thickness using 
the nominal dimensions for the pipe and interference bore. The resulting wall 
thickness was calculated to be 0.703 mm. The engineer also suggested that a true 
position offset of (20.5 mm was representative of a fair portion of the parts 
previously passed as acceptable. This was qualified by noting that it was too early 
to determine the distribution of those positional offsets and that the previous data 
would not permit a retrospective analysis. 


Observations: 


The identification by the manufacturing engineer on 27 March 2009 of the offset oil feed 
stub pipe counter bore with respect to datum AF was reported by the engine 
manufacturer to be the first time that they had identified the misalignment of the counter 
bore with respect to the pipe's axis. Similarly, it was the first time that the reduction in 
the oil feed stub pipe wall thickness was identified. 


Due to the design definition of the stub pipe, the true position of its inner diameter could 
be off-centre from the interference bore by up to 0.05 mm. By including this, and the 
most adverse tolerances for the counter bore and interference bore diameters, the 
ATSB found that the wall thickness could have been as low as about 0.60 mm. 


The ATSB determined that the minimum wall thickness obtainable when conforming to 
the design definition drawings and datum AF was 0.80 mm. 


Oil feed stub pipe counter bore retrospective 
concession 


On recognising that the counter bores were misaligned on previously manufactured 
HP/IP bearing support assemblies (hubs), Hucknall Casings and Structures raised a 
retrospective concession to cover the 100 non-conforming oil feed stub pipes that 
had been released into service. In order to sentence those parts, their maximum non- 
conformance needed to be determined. 


The manufacturer did not have any specified process to evaluate the degree of 
non-conformance of released components, although a number of tools were 
available to the manufacturing engineer. In the first instance, the engineer measured 
the true position of the oil feed stub pipe counter bores, with respect to datum AF, 
on the nine work-in-progress hub assemblies that were available at the facility. A 
statistical analysis of those measurements was carried out sometime between 27 
March and 3 April 2009 by the engineer using a computer tool regularly used in the 
manufacturer's process control. The results of this analysis were presented as a 
‘process capability report’ with the concession application. The process capability 
report presented, amongst other things, the mean and standard deviation for the 
measured data, based on a normal population distribution. 
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The non-conformance was listed on the concession form in the manner presented in 
Figure 90: 


Figure 90: Description of the non-conformance on the retrospective 
concession form 


3. DESCRIPTION OF 3.1. Detailed Description of the nonconformity 

NONCONFORMITY 
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Note: The 'Part number' box on the form listed only the FW64481 part number. 


The manufacturing engineer was very experienced” in the concession process, but 
had limited experience in using the statistical analysis program. The engineer did 
not seek any input from more experienced users within the organisation during his 
consideration of the concession. Experienced users of the statistical analysis 
program advised the ATSB that the sample of nine work-in-progress hub 
assemblies was not statistically representative of the previously released and in- 
service assemblies. This was because of the number of assemblies measured, and 
the change in the method of manufacture (incorporating computer numerical control 
machining and CMM measurements). 


The manufacturing engineer attempted to convey a qualitative assessment of the 
level of uncertainty within the analysis by including the abbreviation ‘est’ preceding 
‘worse case’. The engineer reported to the ATSB that ‘est’ was included to indicate 
the listed non-conformance was an estimate of the positional error. 


The Non Conformance Authority” who reviewed and approved the retrospective 
concession had received some training in the statistical analysis program and 
method and did not identify any issues with the statistical analysis incorporated into 
the concession application. The authority reported having an expectation that the 
data presented in the concession application was processed by a suitably trained 
person within the Manufacturing Engineering Team. 


The concession form was endorsed by design and stress engineers on 3 April 2009. 
Those engineers reported that their analyses of the oil feed stub pipe counter bores 


9 The manufacturing engineer had been raising concession applications since 1978 when the 


training in support of that skill consisted of raising 50 concessions under supervision. The 
engineer had not received any refresher training on concession applications, other than in the late 
1990's, when the manufacturer provided some training in the computer system that was being 
used at the time for concession applications. At the time the retrospective concession was raised, 
the engineer was generating about one concession per week. 


?5 A qualified engineer who had been involved in a number of engine projects with the manufacturer 


as a design engineer. At the time the retrospective concession was raised, the non-conformance 
authority had 2 years of experience as a design scheme supervisory signatory, was a design 
concession approval signatory and had been a regular attendee at concession review boards for 
over 1 year. 


uod 


as presented on the form was based on a maximum non-conformance of (20.70 mm, 
and that they considered the effect of that non-conformance on the component's 
form, fit and function. They established the wall thickness of the oil feed stub pipes 
and used a computer structural analysis model to ensure that the stress in the pipes 
would remain within allowable limits. 


Observations: 


It was likely that the stress analysis carried out by the stress engineer was not as 
detailed as that carried out as part of the ATSB investigation, which had the benefit of 
additional data as a result of the uncontained engine failure (see section 2.5 of this 
investigation report). The stress analysis by the manufacturer as part of the ATSB 
investigation found that a very detailed model was required to capture the actual peak 
stress in the oil feed stub pipe wall, and to assess the resulting fatigue life. 


The true position of the oil feed stub pipe counter bore in ESN 91045 was greater than 
(20.70 mm from datum AF. As shown later in section 4.15 of this investigation report, 
there were a number of other counter bores that had thinner wall sections and thus had 
a counter bore with a true position from datum AF greater than the 20.70 mm in the 
retrospective concession. Thus, the results of the statistical analysis used to sentence 
the retrospective concession did not accurately represent the population of the 
in-service oil feed stub pipe counter bores. 


The ATSB calculated that the minimum wall thickness in the oil feed stub pipe when the 
true position varied from datum AF by 20.70 mm was 0.50 mm. 


The retrospective concession form was sentenced on 3 April 2009 and categorised 
as a Cat 3. That categorisation was supported by the design and stress engineers 
who reviewed the concession. The ATSB compared the concession with the 
requirements of the group quality procedures and, in the context of the information 
in the concession alone, found that the categorisation was compliant with those 
procedures. 


The manufacturer provided the ATSB with a copy of the notes from the 
Transmissions, Structures and Drives — Hucknall Casings and Structures Plant 
Quality Board (quality review board) convened on 10 June 2009 (the first Quality 
Review Board meeting convened after the retrospective concession). There was no 
reference in those notes of the oil feed stub pipe retrospective concession, indicating 
that it had not been reported to the Quality Review Board. 


The non-conformance authority did not expect that the in-service components 
would be individually checked for conformance with respect to the limits specified 
on the retrospective concession. However, the authority did expect that the 
components would be tested for any cracking at the next overhaul as part of the 
normal overhaul procedure. 


The completion of the retrospective concession form did not comply with the 
manufacturer's process in a number of areas, including multiple part numbers being 
listed on the one form.” Secondly, the retrospective concession had not been 
approved by either the Chief Engineer or the Business Quality Director. Upon 
reviewing the concession application form, as part of the ATSB investigation, the 
non-conformance authority recognised that it lacked those signatures, but could not 
recall why they had not been obtained. 


99 There were four part numbers, which represented a development standard, and the A-, B- and C- 


standards. 
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4.13.1 


4.13.2 


4.14 


The manufacturer provided the ATSB with a copy of the notes from the 
Transmissions Structures and Drives quality review board convened in June 2009 
(two months after the retrospective concession). There was no reference in those 
notes of the retrospective concession, or any other significant non-conformances. 


Observation: 


By not obtaining the approval of the Chief Engineer and Business Quality Director for 
the retrospective concession that was issued in April 2009, the opportunity for their 
experience to have an effect on the consideration of the concession and the fleet-wide 
risk assessment was missed. 


Containment of non-conforming parts 


The manufacturer reported that when the non-conforming oil feed stub pipe counter 
bores were detected, all of the parts that had not been delivered to customers were 
quarantined in accordance with their containment procedure. They also reported 
that the Chief Engineer would normally decide what fleet action was required but, 
because in this instance the Chief Engineer was not included in the process, that 
level of decision was not taken. 


On the local level, when the retrospective concession was sentenced it was 
determined to be a Cat 3, as it was assessed to have no effect on the customer. As 
such, it did not require the containment of in-service components. 


Other retrospective concessions 


A review of previous concessions by the manufacturer was carried out after the 
UERF involving VH-OQA and it was found that retrospective concessions made up 
approximately one in 1,000 of all concessions raised. The Non Conformance 
Authority that sentenced the retrospective concession on the oil feed stub pipe 
counter bores reported that in their time as an authority, they had reviewed in excess 
of 1,000 concessions. Of these, probably less than 10 were retrospective 
concessions. 


In a review of the concessions completed by the Civil Large Engine operations? 
after the UERF involving VH-OQA, the manufacturer identified 138 retrospective 
concessions in the period from 2009 to 2011. Of these, 131 were not compliant with 
the process, and they were subsequently revalidated and sentenced by the Chief 
Engineer and Business Quality Director. 


Partial first article inspection 


Following the implementation of datum AF, Hucknall Casings and Structures 
performed a partial first article inspection of the HP/IP bearing support assembly. 
That inspection was limited to the features that had been varied by the definition 
alteration request. 


100 Civil Large Engine operations included a number of engine projects and numerous supply chain 
units. 
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4.14.1 


4.14.2 


Change in the first article inspection process 


In the time since the original pre-production first article inspection, the first article 
inspection process had been modified in a number of ways. These modifications 
included: 


* arequirement for a Design Authority to authorise the first article inspection 
report 


* the inclusion of a requirement to certify the ‘closure of non-conformance’ 
identified during the first article inspection 


* improved definitions. 


The group quality procedures noted that design authorisation was only required 
when the measurement system capability was below target, multiple non- 
conformances were present, or the process capability was below target. Further, a 
field was included on the first article inspection report proforma for Design 
Authority signature, but in cases where there was no requirement for design 
authorisation, the field was to be marked ‘N/A’. 


The revised process included a section for the closure of non-conformance 
identified during the first article inspection (FAI). That section stated that: 


The FAI is not complete until the Organization closes all non-conformances 
affecting the part and implements corrective actions. The Organization shall 
re-do a FAI for those affected characteristics and shall record the results. 


The definitions section of the revised process included a number of enhancements. 
Of particular note was the inclusion of a definition for the term ‘definition’, which 
precluded the use of stage drawings or locally generated definitions as follows 
[emphasis added]: 


Definition The original engineering drawings, models, functional 
requirements and other elements that define the product under 
consideration. ... Stage drawings or other locally generated 
definitions, may not be used for the completion of the FAI 
activity. 


Completion of the partial first article inspection on the HP/IP 
HP/IP bearing support assembly 


The partial first article inspection was carried out on an HP/IP bearing support 
assembly that had been produced using the revised manufacturing method 
(including datum AF) on 29 April 2009. A first article inspection report was 
produced to record the completion and findings of the inspection. A number of 
items in the partial inspection report were of interest: 


e The design authority signatory field was marked as ‘N/A’ and the 
justification given was that it was an existing part. 


e The dimensional results from the first article inspection showed that the 
true position of the counter bore was (20.20 mm, while the maximum 
permitted was (20.10 mm. The overall depth of the counter bore was also 
outside the allowable limit. The non-conformances were noted on the report 
along with the associated concession number. The form was marked 
‘Conditional Accept. Non-conformance subject to concession.’ 
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4.15 


Also of note was that the *max step' feature was not measured and the drawings 
attached to the inspection report were manufacturing stage drawings, not the design 
definition drawings. 


Observation: 


During the partial first article inspection, the true position of the fine limit counter bore 
was out of tolerance by twice the allowable limit. A concession was raised to cover that 
non-conformance, but this did not strictly meet the intention of the procedures for the 
closure of non-conformances found during first article inspections. 


Given the context of the only recently raised concession allowing the continued use of 
parts in service with counter bores out of tolerance by seven times the allowable 
(maximum permitted of 20.10 mm compared to a maximum non-conformance of 
(20.70 mm), the non-conformance identified in the partial first article inspection was 
probably considered by the manufacturer to be acceptable. 


Datum AF was introduced as part of a definition alteration request in order to reduce the 
rate of non-conformance. Yet the feature of concern did not conform, indicating that the 
change in datum did not successfully remedy the problem. 


Other non-conforming Trent 900 HP/IP bearing 
support assemblies 


Following the UERF involving VH-OQA, the engine manufacturer surveyed the 
Trent 900 fleet of engines in an attempt to determine the wall thickness of the oil 
feed stub pipe in all engines produced up to March 2011. In the case of the engines 
for which the manufacturer had retained the CMM reports, the wall thickness was 
calculated using the measurements taken during OP 70 and OP 230. 


A number of other methods were used to determine, or estimate, the wall thickness 
for the other engines for which no CMM reports were held. This included the direct 
measurement of oil feed stub pipes that were removed from HP/IP bearing support 
structures when those structures were retired from service, and the on-wing 
measurement of the internal counter bore features using a borescope™”' or a rubber 
cast taken from an engine's oil feed stub pipe counter bore region. 


The results of the calculations and estimates were provided to the ATSB and are 
presented in Figure 91. 


10! A slender optical device that is capable of being inserted into narrow apertures to inspect the 
interior of machinery. 
Measurements were taken between the internal pipe diameter and the drilled counter bore, and the 
wall thickness estimated from those measurements. There were a number of limitations on that 
method, including assumptions that the reamed counter bore was offset in the same direction as 
the drilled counter bore (which, in the case of ESN 91045 was not), of nominal dimensions for all 
other features, and that the inside diameter of the pipe was coaxial with the interference bore. 
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Figure 91: Oil feed stub pipe wall thickness survey, determination and 
estimates (No. 2 engine hub assembly from VH-OQA highlighted) 
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Note: The wall thicknesses from 17 of the 38 A-standard HP/IP bearing support assemblies 
produced were available to the ATSB. 


The true position of the oil feed stub pipe counter bore was measured from both 
datum M and datum AF for two of the in-service oil feed stub pipes that were 
identified as having a reduced wall thickness. The results of those measurements are 
shown in Table 12. 


Table 12: Comparison of the true position of oil feed stub pipe counter bore 


Hub Assembly True position True position 
relative to relative to 
datum M datum AF 

(mm) (mm) 
0248 (20.169 (21.184 
0250 (20.158 (21.220 


Observation: 


Hub assemblies 0248 and 0250 were manufactured at a time when the CMM program 
measured from datum M and had a tolerance of (20.2 mm. Hence, those assemblies 
were unlikely to have produced an error when measuring the true position of the oil feed 
stub pipe counter bore at OP230. If the tolerance had been consistent with the design 
definition drawing and been (20.1 mm, they would likely have produced errors during 
that inspection. 


The CMM reports for those assemblies were not retained by the manufacturer, so it 
could not be conclusively determined if an error was reported at OP70. However, given 
the degree of variation between the measurements from the two datums, it is likely that 
an error was reported. 
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5 


ANALYSIS 


5.1 


5.2 


Introduction 


Shortly after takeoff from Changi Airport, Singapore, a Qantas Airbus A380-842 
aircraft registered VH-OQA, sustained an uncontained engine failure. The engine, a 
Rolls-Royce Trent 972, was mounted on the No. 2 position on the wing. The debris 
released from the engine resulted in significant damage to the engine and airframe. 


Although there was significant damage to the aircraft structure and systems, the 
aircraft was capable of continued safe flight and landing. Furthermore, the flight 
crew operated in accordance with standard operating procedures and practices. 
Therefore, this analysis is focused on the failure of the No. 2 engine and the factors 
that lead to the failure. 


This analysis is structured to provide an overview of the engine failure mode, as 
detailed in Part 3 of this report, and examines the factors involved in the release of 
non-conforming Trent 900 series engines into operational service. It also examines 
the opportunities when the non-conformances could have been detected and 
preventative actions taken prior to the uncontained engine rotor failure (UERF) of 
the No. 2 engine on VH-OQA. 


The analysis is concluded with a discussion on the opportunity presented to extend 
the knowledge base relating to the hazards from UERF events and to incorporate 
that into the airframe certification advisory material. 


The occurrence event 


The uncontained engine failure was the result of an internal engine fire in the high 
pressure/intermediate pressure (HP/IP) bearing support assembly that heated the 
intermediate pressure (IP) turbine drive arm until the material failed. 


A fatigue crack had formed in the wall of the oil feed stub pipe over a period of 
time, and on the occurrence flight the crack reached a size that permitted the release 
of oil as an atomised spray into the buffer space between of the HP/IP bearing 
chamber. It was sufficiently hot within this chamber for the oil spray to auto-ignite. 


The fire propagated through the bearing chamber buffer space, eventually 
impinging upon the IP turbine disc, resulting in the separation of the disc at the 
drive arm. The IP turbine disc moved rearwards and the engine surged. Within 4 
seconds, the disc accelerated, and while the engine was running down from the 
surge, the HP system partially recovered, supplying additional energy to the IP 
turbine disc, allowing it to accelerate to a rotational speed in excess of its structural 
capacity. 


The disc fractured into three main sections that had sufficient energy to penetrate 
the engine case and exit at high speed. Sections of the IP turbine disc and associated 
debris impacted and damaged the aircraft structures and systems. 


The crack that formed in the oil feed stub pipe was a result of the normal operating 
movement of the HP/IP hub and the increased stresses in the pipe as a result of its 
reduced wall thickness. The reduced wall thickness was due to the counter bore for 
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an oil filter being misaligned with the axis of the oil feed stub pipe during 
manufacture. 


5.2.1 HP system recovery 


The HP system recovery during the engine rundown that followed the separation of 
the IP turbine from the drive arm supplied additional energy to the separated IP 
turbine. That HP recovery had not been expected by the manufacturer, whose 
modelling during the design and certification for the engine did not predict such 
behaviour. The manufacturer's experience with other engines in the Trent family 
had indicated that the system would not recover from the surge and the IP turbine 
would not reach a speed in excess of its design capability. 


5.3 Misalignment of the oil feed stub pipe counter bore 


How the counter bore in the oil feed stub pipe came to be misaligned, released into 
service and remain in service undetected was a complex combination of events and 
missed opportunities that started with the design of the engine. 


The counter bore in the oil feed stub pipe became misaligned with the axis of the 
pipe due to movement within the hub structure during the manufacturing process. 
Between the time when the location of the timing pin was measured and the inner 
hub counter bore was formed, the inner hub moved relative to the milling machine. 
Because the interference bore, into which the oil feed stub pipe was later fitted, had 
previously been formed on the axis of the timing pin, the inner hub counter bore 
was not aligned with the axis of the interference bore, and hence the axis of the oil 
feed stub pipe. 


After the oil feed stub pipe was fitted to the hub, the oil feed stub pipe counter bore 
was machined using the inner hub counter bore as the reference datum to position 
the counter bore. Because the inner hub counter bore was misaligned with the axis 
of the stub pipe, so too the oil feed stub pipe counter bore was misaligned with the 
axis of the stub pipe. This resulted in a locally thin wall in the oil feed stub pipe 
(Figure 92). 


Figure 92: Effect of misaligned counter bore on pipe wall thickness 
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5.4 Detection of the misalignment during manufacture 


Dimensional inspections were carried out on two occasions during the manufacture 
of the HP/IP bearing support hub structure that measured oil feed stub pipe counter 
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5.4.1 


5.4.2 


bore features; OP 70 and OP 230. At OP 70, the coordinate measuring machine 
(CMM) used to measure the position of the interference bore was programmed to 
measure features relative to the inner hub counter bore (datum M). An error was 
included in the CMM report if the measured position of that feature was outside of 
the defined limits. Similarly, the CMM was programmed so that, at OP 230, the 
position of the oil feed stub pipe counter bore was measured relative to the inner 
hub counter bore and an error recorded in the report if outside of the defined limits. 


Engine ESN 91045 - installed as the No. 2 engine on VH-OQA 


According to post-accident measurements, an error should have been reported at 
OP 70 during the manufacture of the HP/IP bearing support structure hub assembly 
from engine serial number (ESN) 91045. Due to the failure-affected condition of 
the recovered components, it was less certain whether an error should have been 
produced at OP 230. Because the CMM records for the HP/IP bearing support 
structure in ESN 91045 was not retained by the engine manufacturer, the ATSB 
could not determine if an error was printed on the CMM report. Even if an error 
was produced, there may have been a number of reasons to explain why it was not 
reported as a non-conformance. This could have included a problem with the print- 
out, simply missing it when reviewing the report or an erroneous second 
measurement that indicated that there was no error. 


Other affected Trent 900 engines 


The ATSB identified a number of other HP/IP hub assemblies fitted to Trent 900 
engines that contained misaligned oil feed stub pipe counter bores and had been 
released into service. There were a number of explanations as to how this occurred, 
but these could be divided into two groups: those released into service prior to the 
Hucknall major quality investigation and those following that investigation. 


Prior to the Hucknall major quality investigation 


One of the findings of the Hucknall major quality investigation was that the facility 
was releasing components with a large number of non-conformances that had not 
been declared in the documentation (undeclared non-conformances). 


Post-accident determination of the oil feed stub pipe wall thickness from a number 
of the HP/IP hub assemblies produced prior to the Hucknall major quality 
investigation indicated that there were a significant number that did not conform to 
the design intent. It was therefore likely that HP/IP hub assemblies were released 
with undeclared non-conformances. 


Given that there were a number of inspectors involved over the 3-year period 
leading up to the major quality investigation, it was likely that a culture ^ existed 
within the Hucknall facility that considered that not strictly adhering to the non- 
conformance management procedures in the group quality procedures was a viable 
form of behaviour. Specifically, it was considered acceptable to release parts with 


102 Defined as ‘shared values (what is important) and beliefs (how things work) that interact with an 
organisation's structures and control systems to produce behavioural norms (the way we do things 
around here)' Reason, J. 1997. Managing the risks of organisational accidents. Ashgate: 
Aldershot UK (p.192). 
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undeclared non-conformances that were considered by at least some of the 
inspectors to be *minor'. 


Many leading human factors researchers have discussed the issues large 
aerospace organisations face to maintain an ultra-high level of safety. They state 
that large aerospace organisations are complex sociotechnical systems made up of 
organised humans producing highly technical artefacts for complex systems, such 
as modern aircraft. Due to the inherent nature of these complex sociotechnical 
systems, their natural tendency is to regress if not constantly monitored — and 
occasionally even when monitored vigorously. This natural regression can occur 
due to the pressures applied via global economic forces, the requirement for 
developing growth, profit and market share for stakeholders and the striving for 
greater efficiencies regarded as commercially essential in what is a very competitive 
market. 


The often less than ideal interaction between humans and organisations' written 
processes and procedures can also influence in this situation. In this environment, 
aspects usually captured by the controls put in place by the organisation's quality 
management system can be missed. 


The complex sociotechnical system movement identified by the previously 
mentioned human factors researchers may provide a high-level, overarching 
explanation as to why, at the Hucknall facility in mid-2006, a number of staff 
involved in the production of the HP/IP hub assemblies did not strictly adhere to 
procedures as laid down in the group quality procedures. The ATSB established that 
through the Hucknall major quality investigation and other initiatives, the 
manufacturer has recognised and addressed these issues. 


Following the Hucknall major quality investigation 


The step increase in the number of concessions being raised for the HP/IP support 
assemblies following the Hucknall major quality investigation indicated that there 
was a cultural shift following the investigation and its associated actions having 
effect. Those concessions included non-conformances relating to the oil feed stub 
pipe. Examination of the CMM records and the oil feed stub pipe concessions 
showed that for the support assemblies produced there was an error identified in the 
true position of the interference bore and that a wire gauge check had been carried 
out following installation of the oil feed stub pipe. The concessions only identified 
that the position of the interference bore had a non-conformance and made 
reference to the applicable design definition drawing. 


In sentencing the concessions, the reviewing Non Conformance Authorities would 
have made reference to the design definition drawing. They would not have been 
aware that the CMM program measured the position of the interference bore from 
datum M rather than from datum AA, as shown on the design definition drawing. 


103 Rasmussen, J. (1997). Risk management in a dynamic society: A modelling problem. Safety 
Science, 27(2/3), 183-213; Reason, J. (1997). Managing the risks of organizational accidents. 
Aldershot, UK: Ashgate; Hollnagel, E. (2004). Barriers and accident prevention. Aldershot, UK: 
Ashgate; Hollnagel, E., Woods, D.D., and Leveson, N. (2006). Resilience engineering: Concepts 
and precepts. Aldershot, UK: Ashgate; Dismukes, R. K., Berman, B.A., and Loukopoulos, L.D. 
(2007). The limits of expertise: Rethinking pilot error and the causes of airline accidents. 
Aldershot, UK: Ashgate; Hollnagel, E. (2009).The ETTO principle: Efficiency-thoroughness 
trade-off: Why things that go right sometimes go wrong, Aldershot, UK: Ashgate. 


3d 
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5.5 


5.5.1 


The manner in which the non-conformance was presented in the concession would 
have indicated that there was a possible lack of clearance between the oil feed stub 
pipe and the outer hub. However, given that this was not the case, and the wire 
gauge check showed that there was adequate clearance, the non conformance 
authorities sentenced the parts on that basis and determined that the assembly was 
acceptable for use. 


Even though the errors identified by the CMM were an indication that there was a 
potentially thin wall on the oil feed stub pipe, the opportunity to detect this was 
missed because of the difference between the datum used in the CMM program and 
the one listed on the drawings. 


Effectiveness of the OP 230 inspection 


Because the feature used as datum M (the inner hub counter bore) was not 
constrained to the oil feed stub pipe location, the measurement of the oil feed stub 
pipe counter bore at OP 230 did not provide assurance that the counter bore was 
concentric with the oil feed stub pipe. Thus, once a non-conformance had been 
accepted during OP 70, either in accordance with the non-conformance 
management procedure or not, a reduced wall thickness could be produced without 
an error being reported in the CMM report at OP 230. This was shown to be the 
case on at least two occasions when post-accident measurements showed that an 
error at OP 230 was unlikely using datum M but, when measured from the stub pipe 
inner diameter axis (datum AF) showed a large error in position. 


To ensure that an acceptable wall thickness was maintained, the designers applied a 
tight tolerance on the allowable deviation of the location of the interference bore 
and counter bore. However, when the manufacturing drawings were produced, 
those tolerances were increased - the location of the interference bore by a factor of 
10 and the counter bore by a factor of two. Both further increased the potential size 
of any misalignment of the counter bore in the oil feed stub pipe. The ATSB was 
unable to determine why those tolerances had been increased. 


Opportunities to detect the misalignment of the oil 
feed stub pipe counter bore 


The ATSB identified a number of opportunities throughout the design and 
production of the Trent 900, prior to the uncontained engine failure event, where the 
potential for misalignment of the oil feed stub pipe counter bore could have been 
identified. These existed during the production of the manufacturing specifications 
and instructions, during the first article inspection, and when the manufacturing 
reference datum was changed. 


Production of the manufacturing specification and instructions 


The design definition required that the interference bore and oil feed stub pipe 
counter bore positions be constrained relative to the outer hub clearance hole 
(datum AA). In producing the design definition, the design engineers had not 
identified that datum AA became inaccessible when the oil feed stub pipe was fitted 
to the hub assembly. Neither was it identified during the manufacturing acceptance 
of the design definition drawings by the manufacturing engineers. From the 
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5.5.2 


evidence available, the ATSB could not determine why it was not identified. 
However, given the large number of features and associated manufacturing 
processes required to produce the hub assembly, it was concluded that it was 
probably an oversight. 


The inaccessibility of datum AA was identified by the manufacturing engineers at 
some time following the manufacturing acceptance, and during the determination of 
the manufacturing specification and instructions. This provided an opportunity for 
the manufacturing engineers to discuss the problem with the design engineers; 
however, no discussion was found to have taken place and a separate manufacturing 
datum was introduced. This datum (datum M) was intended to replace datum AA 
during the manufacture of the hub assembly. At the time, there was no requirement 
for the manufacturing engineers to discuss the use of manufacturing datums with 
the design engineers and the decision to introduce datum M was likely made with 
the belief that the design intent would be maintained. The possibility of movement 
of the inner hub during manufacture and the effect it could have when using datum 
M was not recognised by the manufacturer. 


First article inspection 


The next opportunity for the misaligned oil feed stub pipe counter bore to have been 
identified was in May 2005 when the first article inspection was carried out prior to 
commencement of production. By using the manufacturing stage drawings the 
inspector found that all measurements conformed to that drawing, but this did not 
show conformity to the design definition drawing. Neither did it ensure that the 
design intent was achieved, because the lack of constraint on datum M meant that 
the alignment of the counter bores and the stub pipe could not be assured. Thus, the 
first article inspection did not ‘close the loop’ on the production method and could 
not confirm that the design intent was attained. 


Had the inspector carried out the inspection using only the design definition 
drawings, they would have formally identified that they could not conform to those 
drawings. This should have resulted in the first article failing the inspection and the 
issue addressed. 


The ATSB assessed that the wording within the first article inspection procedures 
had ambiguities that may have led the inspector to believe that the use of 
manufacturing stage drawings was acceptable. The first article inspection report 
was signed off by the Integrated Programme Team lead, indicating that this 
understanding of the process was not restricted to the inspector. 


The ambiguities in the first article inspection procedure lay predominantly in the 
wording used in the definition of key terms. The wording of the definition for ‘first 
article inspection' indicated that manufacturing stage drawings were included in the 
‘other applicable documents e.g. manufacturing definition’ that could be used to 
show conformance to the design. The definition of 'definition requirement' did not 
clarify this any further as it permitted the use of a ‘lower-level definition’ that may 
have been interpreted as including manufacturing stage drawings. 


The first article inspection procedure noted that part of its purpose was to provide 
confirmation that the production method resulted in a part that fully met the design 
intent. However, neither the procedure nor the associated guidance information 
required the inclusion of the applicable design engineers in the process. Due to the 
lack of guidance information and without including the design engineers in the 
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process, the ATSB could not ascertain how the first article inspection team would 
ensure that the design intent was achieved. 


Change in the oil feed stub pipe counter bore reference datum 
and the retrospective concession 


The change in the reference datum for locating the oil feed stub pipe counter bore 
from datum M to datum AF occurred in March 2009. At that time a manufacturing 
engineer was alerted to the effect that the position of datum M was having on the 
wall thickness. This engineer also identified the likelihood of escaped parts in the 
in-service Trent 900 engine fleet. In an attempt to define the non-conformance, the 
engineer used a statistical analysis approach that was based on the available nine 
work-in-progress assemblies at the Hucknall facility. The statistical analysis tool 
used by the engineer was not capable of providing results that were representative 
of the variation in oil feed stub pipe counter bore position within the in-service 
fleet. 


The manufacturing engineer's attempt to convey their level of uncertainty to the 
non conformance authority was not effective. The language used on the concession 
form to define the non-conformance likely gave the non conformance authority and 
the design and stress engineers the impression that the maximum non-conformance 
was 0.7 mm, rather than 0.7 plus or minus some unknown level of uncertainty. The 
use of terms such as ‘up to’ to define the non-conformance and ‘est worse case’ in a 
clarifying note were more consistent with a maximum case for consideration, rather 
than the result being an approximation with an inherent degree of uncertainty. The 
non conformance authority, design and stress engineers appear to have considered 
the concession on the basis that 0.7 mm was the maximum level of non- 
conformance. 


Although the different production standard parts were similar, the parts that were 
measured by the manufacturing engineer were all C-standard parts. However, the 
retrospective concession for the oil feed stub pipes contained four part numbers on 
the one form, rather than one part number per form, in accordance with the 
requirements of the engine manufacturer's non-conformance management process. 
The use of measurements from a part number different to that on the form may have 
highlighted that the measurements were not necessarily applicable to that part and 
alerted the non conformance authority to the non-representative nature of the 
statistical analysis. 


There was no indication that the non conformance authority who sentenced the 
concession identified that there was any uncertainty regarding the statistical 
analysis, or that they recognised that the results were not representative of all of the 
parts within the facility and in the in-service fleet. Because there was no 
requirement to obtain expert advice when statistical analysis was used in a 
concession application, further advice from the statistical process control experts 
within the organisation was not obtained. 


Contrary to the manufacturer's additional requirements for a retrospective 
concession, neither the Chief Engineer nor the Business Quality Director approved 
the retrospective concession. Although this would not have necessarily ensured that 
the concession was not approved, and that additional safety actions were taken, it 
was another opportunity that was missed to detect the non-conformance in the Trent 
900 fleet of engines before engine ESN 91045 sustained an in-flight uncontained 
failure. 
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Fleet wide risk assessment 


Concessions were primarily sentenced within the business unit where the 
component was being produced, in this case Transmission, Structures and Drives. 
However, when sentencing a retrospective concession, the Chief Engineer's 
approval provided a broader fleet-wide assessment of the risks associated with 
permitting non-conforming parts to continue operation in the fleet. This related to 
whether the non-conformance posed a fleet-wide risk and what containment action 
may be required to minimise any risk, both in the short and long term. 


Why the non conformance authority did not obtain the approvals from the Chief 
Engineer and Business Quality Director when sentencing the retrospective 
concession could not be conclusively determined. However, the ATSB determined 
a number of factors that may have combined to result in the omission as follows: 


e the standard form used for both normal and retrospective concessions did 
not assist the non conformance authority to ensure that the additional 
approvals were obtained. 


* the concession form contained a list of common specialist areas that may be 
required during the sentencing of a concession, but that list did not include 
the Chief Engineer and Business Quality Director, and as such there was no 
prompt to remind the non conformance authority to obtain those approvals. 


Similarly, there was nothing on the concession form to explicitly indicate that the 
concession was retrospective. Such an indication may have prompted the non 
conformance authority to realise that it was not a routine concession application 
and, as such, required additional actions. 


The number of concessions being raised by the manufacturing engineer and 
assessed by the non conformance authority at the time indicated that the raising and 
sentencing of concessions was a routine process; however, the raising and 
sentencing of a retrospective concession was not routine. Because the majority of 
the processes were common to both normal and retrospective concessions, it was 
possible that the non conformance authority processed the retrospective concession 
in the same manner as a normal concession. 


By not specifying when in the retrospective concession process the Chief 
Engineer's approval was to be obtained, there was potential for their expert 
consideration to be missed if the process was not completed, as occurred in this 
case. 


In contrast to the retrospective concession process, the need for an early fleet-wide 
risk assessment was inherent in the process for a Safety Alert Report. In the safety 
alert process the airworthiness department and the Chief Engineer were involved 
early in the decision making process. This ensured that the Chief Engineer's expert 
consideration was included in the determination of the extent of, and risks 
associated with, the potential issue. In the case of the non-conformance identified 
within the oil feed stub pipe, based on the manufacturing personnel’s knowledge 
and understanding at that time, they did not identify a potential safety issue, 
determined that a retrospective concession was suitable, and the raising of a Safety 
Alert Report was not required. 
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5.6 


5.7 


Quality review board 


Although the Quality Review Board was not responsible for a technical review of 
retrospective concessions, one of their functions was to ensure compliance with the 
quality management system. One of the means of carrying out this function was 
through receipt of reports regarding significant product non-conformances. The 
board was not responsible for the detailed review of each concession to determine 
its compliance with the process; however, they were responsible for monitoring 
reported significant non-conformance and the management of the effective closure 
of any corrective actions. 


Given that the concession covered all of the parts manufactured up to that date and 
released into service, the ATSB considered that from a quality assurance 
perspective, the non-conformance should have been deemed to be significant. The 
engine manufacturer's procedures did not provide any guidance on how to 
determine the significance of a non-conformance. Therefore, it was unlikely that 
Hucknall Casings and Structures personnel would have reported the retrospective 
concession to the Quality Review Board because they considered that from an 
engineering point of view the non-conformance was minor, as indicated by the Cat 
3 categorisation, and therefore not significant. 


Even though the non-conforming oil feed stub pipes should have been reported to 
the Quality Review Board, it was unlikely, due to their terms of reference and 
composition, that the board would have identified the incomplete retrospective 
concession process. While this did not represent an opportunity to ensure that a 
fleet-wide risk assessment was made, it highlights the need to provide suitable 
guidance to manufacturing personnel to ensure that significant non-conformances 
are appropriately managed within the manufacturer's quality management system. 


Quality assurance 


The investigation examined the quality assurance function of the oversight of 
documentation, processes and procedures relating to the management of non- 
conforming parts, specifically the raising of retrospective concessions. Quality 
assurance, as with quality control, was a function of the engine manufacturer's 
Quality Management System. Evidence showed that, during the raising of the 
retrospective concession for the oil feed stub pipe interference bore position, a 
number of the existing risk controls for management of non-conforming 
components were ineffective. 


The ineffectiveness of the risk controls influenced the handling of the non- 
conformance process surrounding the retrospective concession activity of 

April 2009. Also, the lack of a requirement for a statistical process control expert 
review of the statistical analysis was a risk control missing from the system that 
may have provided another layer of protection. 


Regulatory oversight 


The ATSB determined that the United Kingdom Civil Aviation Authority 
performed their responsibilities within the requirements of the regulatory 
framework by monitoring the engine manufacturer's compliance with their quality 
management system. 
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5.8 


5.9 


5.10 


Classification of the HP/IP bearing support assembly 


A review of the certification failure modes, effects and criticality analysis found 
that a failure of the oil feed stub pipe, amongst other failure modes, could result in a 
hazardous engine failure. As such, the ‘unclassified’ classification applied to the 
assembly at certification was not appropriate for the identified failure modes. 
Therefore, the need for appropriate levels of process control, to manage the 
associated hazard risks, would not have been communicated to the manufacturer's 
staff. 


Partial first article inspection 


The partial first article inspection of the HP/IP support assembly that was carried 
out in late April 2009, following the revision to the oil feed stub pipe counter bore 
datum, did not represent a specific opportunity to identify the risk to the fleet. 
However, it did highlight several issues that remained within the manufacturer's 
Hucknall Casings and Structures facility. 


The report for the partial first article inspection showed that it was still considered 
acceptable within Hucknall Casings and Structures to use manufacturing stage 
drawings rather than design definition drawings during this inspection. This was 
despite the procedure being revised beforehand, which specifically clarified that 
they were not to be used for showing conformity. 


It also showed that Hucknall Casings and Structures were still not able to 
manufacture the article to comply with the design definition, and were applying a 
concession to the article and continuing with manufacture. This was not in 
accordance with the manufacturer's group quality procedure, which required 
corrective action to be taken for any non-conformances and for the first article 
inspection to be redone. 


Airframe certification standard for an uncontained 
engine rotor failure 


The certification of the A380 was based upon the minimisation of hazards to the 
aircraft resulting from an uncontained engine rotor failure (UERF). Advisory 
Material — Joint (AMJ) 20-128A and Advisory Circular (AC) 20-128A provided a 
means of demonstrating compliance with Joint Aviation Requirements (JAR) 
25.903(d)(1) and Code of Federal Regulations, Title 14 (14 CFR) 25.903(d)(1) 
respectively. The advisory material evolved from the lessons learned from the 
investigation of a number of UERF accidents, where the resulting damage was 
analysed by the relevant airworthiness authorities in response to recommendations 
arising from those investigations. 


The amount of damage to VH-OQA resulting from the No. 2 engine UERF was 
greater than the modelling outlined in the advisory material. Primarily, this was the 
result of combined damage from multiple fragments on different trajectories that 
affected redundant system paths. This included systems such as the flammable fluid 
shut-off valves (fuel low pressure shut-off valves for the No. 1 engine, and the 
hydraulic shut-off valve for the No. 2 engine) and the fire extinguishing system of 
the No. 1 engine (refer to Damage to the aircraft in section 1.3 and Appendix B). 
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5.11 


5.12 


5.13 


Notwithstanding this, the aircraft was capable of continued safe flight and it landed 
at Changi Airport, Singapore. 


This accident represents an opportunity to extend the knowledge base relating to the 
hazards from UERF events and to incorporate that knowledge into the airframe 
certification advisory material in order to further minimise the effects of UERF on 
future aircraft designs. 


Wing fire 


The ATSB determined that there was a fire in the left wing inner fuel tank. A large 
hot fragment from the IP turbine disc penetrated the left inner fuel tank and was 
likely to have been the ignition source for the fire. 


The absence of thermal damage to the internal and external wing structure and 
painted surfaces indicated that the associated temperature rise was relatively low, 
consistent with a short duration (flash) fire. 


The conditions within the tank were suitable for a flash fire; however, they were not 
suitable to sustain the fire (refer to Appendix D). 


The landing distance performance application 


The inherent conservatism in the landing distance calculation by the landing 
distance performance application, for aircraft weights below the maximum landing 
weight and multiple failures, had the potential to increase flightcrew workload. 
Further, if the calculation incorrectly showed that the aircraft was unable to land 
safely at the nearest airport, it had the potential to influence crews to delay landing 
to reduce weight or to divert to an alternate airport. 


Summary 


A number of opportunities existed for the reduced wall thickness in the oil feed stub 
pipes, that resulted from a misaligned counter bore, to be identified before, during 
and after manufacture. However, these opportunities were missed by the 
manufacturer, resulting in a number of engines being produced and released into 
service with non-conforming oil feed stub pipes with consequent thin walls. Some 
of those oil feed stub pipe wall thicknesses were sufficiently reduced to pose a 
hazard to the safety of the engine and the aircraft to which they were fitted. 


Ultimately, this led to the HP/IP support assembly in the No. 2 engine of VH-OQA 
being released into and remaining in service until the oil feed stub pipe cracked, 
resulting in an internal engine fire and subsequent uncontained engine rotor failure 
overhead Batam Island on 4 November 2010. 


The ATSB also identified that this accident presents an opportunity for the aviation 
industry to enhance its knowledge about minimising the effects of UERF events on 
aircraft airframes and systems. 


ca4i- 
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6 FINDINGS 


The following findings are made with respect to the uncontained engine failure that 
occurred overhead Batam Island, Indonesia on 4 November 2010 and involved 
Airbus A380 aircraft, registered VH-OQA. They should not be read as apportioning 
blame or liability to any particular organisation or individual 


6.1 Contributing safety factors 


6.1.1 Disc failure during the occurrence flight 


Over time, a fatigue crack had developed in the thin-wall section of the oil 
feed stub pipe in the No. 2 engine to the extent that, during the occurrence 
flight, opening of the crack through normal movement within the engine 
released oil into the HP/IP buffer space. 


Auto-ignition of the oil leaking from the oil feed stub pipe created an 
intense and sustained fire within the HP/IP buffer space that resulted in 
localised heat damage to the intermediate pressure (IP) turbine disc. 


The IP turbine disc separated from the drive arm and accelerated. 


Following the separation of the IP turbine disc from the drive arm, the 
engine behaved in a manner that differed from the engine manufacturer's 
modelling and experience with other engines in the Trent family, with the 
result that the IP turbine disc accelerated to a rotational speed in excess of 
its design capacity whereupon it burst in a hazardous manner. [Safety issue] 


6.1.2 Manufacture and release into service of engine serial number 


91045 


During the manufacture of the HP/IP bearing support assembly fitted to the 
No. 2 engine (serial number 91045), movement of the hub during the 
machining processes resulted in a critically reduced wall thickness within 
the counter bore region of the oil feed stub pipe. 


It was probable that a non-conformance in the location of the oil feed stub 
pipe interference bore was reported by the coordinate measuring machine 
during the manufacturing process, but that the non-conformance was either 
not detected or not declared by inspection personnel, resulting in the 
assembly being released into service with a reduced wall thickness in the 
oil feed stub pipe. 


6.1.3 Opportunity to manage the non-conforming oil feed stub pipes 
in the Trent 900 fleet 


The statistical analysis used to estimate maximum likely oil feed stub pipe 
counter bore misalignment, and resulting thin wall section, did not 
adequately represent the population of actual misalignments in engines 
already released into service, nor did it implicitly provide a level of 
uncertainty in the results. 
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The language used to define the size of the non-conformance on the 
retrospective concession form did not effectively communicate the 
uncertainty of the statistical analysis to those assessing and approving the 
concession. 


The engine manufacturer did not have a requirement for an expert review of 
statistical analyses used in retrospective concession applications. [Safety 
issue] 


The engine manufacturer's process for retrospective concessions did not 
specify when in the process the Chief Engineer and Business Quality 
Director approvals were to be obtained. Having them as the final approval 
in the process resulted in an increased probability that the fleet-wide risk 
assessment would not occur. [Safety issue] 


The retrospective concession was not approved by the Chief Engineer and 
Business Quality Director, as required by the group quality procedures 
relating to retrospective concessions, denying them the opportunity to 
assess the risk to the in-service fleet. 


6.2 Other Safety Factors 


6.2.1 Release of Trent 900 engines with non-conforming oil feed stub 
pipe counter bores 


Numerous other engines within the Trent 900 fleet were also found to 
contain a critical reduction in the oil feed stub pipe wall thickness. [Safety 
issue] 


During preparation of the manufacturing process for the HP/IP bearing 
support assembly structure, a manufacturing datum was introduced because 
the location of the oil feed stub pipe counter bore could not be referenced to 
the design definition datum. That manufacturing datum was not constrained 
to the location of the oil feed stub pipe and as such could not ensure that the 
counter bore was concentric with the stub pipe, as the designers had 
intended. 


The engine manufacturer did not require its manufacturing engineers to 
consult with the design engineers to ensure that design intent would be 
maintained when introducing manufacturing datums. [Safety issue] 


The use by an inspector, during the first article inspection process, of the 
manufacturing stage drawings to verify the oil feed stub pipe counter bore 
features precluded the inspection from showing that the manufacturing 
process could produce an item that conformed to the design definition, or 
the intention of the design. 


The procedure for the first article inspection process contained ambiguities 
that resulted in an interpretation whereby the use of the manufacturing 
stage drawings was deemed to be acceptable. [Safety issue] 


A culture existed within the engine manufacturer's Hucknall facility where 
it was considered acceptable to not declare what manufacturing personnel 
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determined to be minor non-conformances in manufactured components. 


[Safety issue] 


The coordinate measuring machine was programmed to measure the 
location of the oil feed stub pipe interference bore with respect to the 
manufacturing datum, instead of the design definition datum as specified on 
both the design and manufacturing stage drawings. [Safety issue] 


During the production of a number of HP/IP bearing support assemblies, 
the coordinate measuring machine identified a non-conformance in the 
location of the oil feed stub pipe interference bore. 


It was likely that when making the determination that the non-conforming 
HP/IP bearing support assemblies were acceptable for use, the 
manufacturing personnel did not know that the coordinate measuring 
machine referenced a different datum to the design definition drawings and 
unknowingly released thin-walled pipes into service based on an alternative 
(wire gauge) measurement method. 


The engine manufacturer's group quality procedures did not provide any 
guidance on how manufacturing personnel were to determine the 
significance of a non-conformance, from a quality assurance perspective. 
[Safety issue] 


When the retrospective concession was processed, the non-conformance 
was not reported to the Quality Review Board because manufacturing 
personnel did not identify it as a significant non-conformance. 


The manufacturer's classification, relating to the criticality of failure, of the 
HP/IP bearing support assembly was inappropriate for the effects of a fire 
within the buffer space and hence, the requirement for an appropriate level 
of process control was not communicated to the manufacturing staff. 
[Safety issue] 


The partial first article inspection carried out in 2009 on the HP/IP support 
structure was not compliant with the engine manufacturer's procedures. 


6.2.2 Minimisation of hazards resulting from an uncontained engine 
rotor failure 


The evolution of the current advisory material relating to the minimisation 
of hazards resulting from uncontained engine rotor failures was based on 
service experience, including accident investigation findings. The damage 
to Airbus A380-842 VH-OQA exceeded the modelling used in the UERF 
safety analysis and, therefore, represents an opportunity to incorporate any 
lessons learned from this accident into the advisory material. [Safety issue] 


6.2.3 Landing distance performance application 


The calculation method in the aircraft manufacturer's landing distance 
performance application was overly conservative and this could prevent the 
calculation of a valid landing distance at weights below the maximum 
landing weight with multiple system failures. [Safety issue] 
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6.3 Other Key Findings 


e Alarge fragment of the hot intermediate pressure turbine disc passed 
through the left inner fuel tank, which resulted in a short-duration low- 
intensity fire. Conditions within the fuel tank were not sufficient to sustain 
combustion and a hazardous situation did not result. 


e There was a short-duration oil fire in the No. 2 engine lower nacelle that 
self-extinguished, resulting only in localised damage to the nacelle. 


e Despite significant system and structural damage following the uncontained 
engine rotor failure, the aircraft was capable of continued safe flight and 
landing. 


e The duration of the CVR recording was insufficient to capture the entire 
occurrence that included the engine failure and subsequent ground 
operation up to passenger disembarkation. 


e The crew’s decision to perform a precautionary disembarkation via the 
stairs likely provided the safest option, particularly given the low 
immediate safety threat and the elevated risks associated with an 
emergency evacuation into a potentially hazardous external environment. 


e The flight and cabin crew managed the event as a competent team in 
accordance with standard operating procedures and practices. 
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SAFETY ACTION 


7.1 


7.1.1 


The safety issues identified during this investigation are listed in the Findings and 
Safety Actions sections of this report. The Australian Transport Safety Bureau 
(ATSB) expects that all safety issues identified by the investigation should be 
addressed by the relevant organisation(s). In addressing those issues, the ATSB 
prefers to encourage relevant organisation(s) to proactively initiate safety action, 
rather than to issue formal safety recommendations or safety advisory notices. 


Preliminary safety actions 


Immediately after, and then progressively during the preliminary stages of the 
investigation, before any specific safety issues had been identified, the ATSB was 
advised by a number of involved organisations of various proactive safety actions. 


Qantas Airways Ltd grounding of their A380 fleet 


Grounding 


On 4 November 2010, after notification of the uncontained failure of the 

No.2 engine in VH-OQA, Qantas Airways Ltd (Qantas) elected to immediately 
cease operations with their fleet of A380 aircraft. This grounding remained in effect 
until further information on the sequence of events leading up to the uncontained 
engine failure was available that would inform Qantas of the associated safety risk 
to its operations. 


Return to service 


Qantas commenced the reintroduction of its A380 fleet into service on 

27 November 2010. This followed the airline's own investigation and analysis of 
the occurrence as ratified by the engine manufacturer and agreed by the Civil 
Aviation Safety Authority (CASA). 


With respect to the decision by Qantas to commence returning their A380 aircraft to 
service, on 30 November 2010 CASA advised the ATSB that: 


Qantas provided CASA with extensive documentation to support the planned 
return to service as well as a number of briefings by key personnel. Qantas’ 
plans as presented and analysed by CASA’s technical experts detailed a 
conservative approach and called for the implementation of additional safety 
mitigation strategies above the requirements of the engine manufacturer. 


CASA is satisfied that Qantas' decision is appropriate. 


Only flights that did not require the use of maximum engine thrust were permitted. 
That decision was based on advice from the engine manufacturer. 
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7.1.2 


7.1.3 


7.1.4 


Rolls-Royce plc - Trent 900 engine inspections 


Non-modification service bulletin 72-G589 


On 4 November 2010, Rolls-Royce issued non-modification service bulletin 
(NMSB) 72-G589 that required a series of checks on all in-service (or on-wing) 
Trent 900 engines. This included a one-time inspection of the turbine blades and the 
high pressure/intermediate pressure (HP/IP) turbine bearing area in each engine 
prior to the next flight. Any indication of oil in the buffer zone in the HP/IP bearing 
support structure was of particular interest. 


NMSB 72-AG590 


On 10 November 2010, Rolls-Royce issued NMSB 72-AG590, requiring the 
inspection of all Trent 900 series engines for evidence of oil leaks into specific 
turbine area components. 


On 12 November 2010, Rolls-Royce advised that: 


... process of inspection will continue and will be supplemented by the 
replacement of the relevant module according to an agreed programme. 


On 18 November 2010, Rolls-Royce issued Revision 2 of NMSB 72-AG590, 
detailing further Trent 900 engine inspections, including for defects in a number of 
turbine area oil and air feed pipes. 


Airbus SAS - Trent 900 engine inspections 


On 5 November 2010 Airbus SAS (Airbus), in response to this occurrence, released 
All Operators Telex A380-728002 that required all operators of A380 aircraft to 
comply with the engine inspection requirements of Rolls-Royce NMSB 72-G589. 


Airbus also issued a number of Accident Investigation Telexes to all of its 

A380 customers informing them of the progress of its own investigation and of the 
details of the aircraft's recovery at Changi Airport, Singapore, and confirming their 
intent to continue as an adviser to the ATSB investigation. 


European Aviation Safety Agency 


On 10 November 2010, the European Aviation Safety Agency (EASA) issued 
emergency airworthiness directive EASA AD: 2010-0236-E in respect of the 
operation of the Rolls-Royce RB211 Trent 900 series engines. The airworthiness 
directive required the periodic inspection of the HP/IP engine structure for any 
abnormal oil leakage. If any discrepancy was identified, the further operation of that 
engine was prohibited. 


That action by EASA was based on a preliminary analysis of the circumstances of 
the engine failure in VH-OQA by Rolls-Royce. That analysis had indicated that an 
oil fire in a cavity within the HP/IP structure may have caused the failure of the 
intermediate pressure turbine disc. 


A full copy of EASA AD: 2010-0236-E is available at: 


http://ad.easa.europa.eu/ad/2010-0236-E 
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7.1.5 


The EASA emergency AD was superseded on 22 November 2010 by 
AD 2010-0242-E that incorporated the contents of Rolls-Royce NMSB 72-AG590 
(Revision 2). AD 2010-0242-E is available at: 


http://ad.easa.europa.eu/ad/2010-0242-E 


Australian Transport Safety Bureau 


On 30 November 2010 the ATSB had, in close consultation with Rolls-Royce and 
the UK Air Accidents Investigation Branch, established that the occurrence was 
directly related to the fatigue cracking of an oil feed stub pipe within the 

No.2 engine's HP/IP bearing support structure. The ATSB identified the following 
safety issue: 


Safety issue 


Misaligned stub pipe counter-boring is understood to be related to the 
manufacturing process. This condition could lead to an elevated risk of fatigue 
crack initiation and growth, oil leakage and potential catastrophic engine failure 
from a resulting oil fire. 


Action taken by the ATSB 


On 1 December 2010, the ATSB issued the following safety recommendation to 
Rolls-Royce. 


ATSB safety recommendation AO-2010-089-SR-012 


The Australian Transport Safety Bureau recommends that Rolls-Royce plc address 
this safety issue and take actions necessary to ensure the safety of flight operations 
in transport aircraft equipped with Rolls-Royce plc Trent 900 series engines. 


A full copy of the ATSB safety recommendation is available at: 


www.atsb.gov.au/publications/investigation reports/2010/aair/ao-2010-089 


Initial action taken by Rolls-Royce 


In response to the developing understanding of this safety issue, on 2 December 
2010 Rolls-Royce issued NMSB 72-G595 to operators of the Trent 900 engine, 
which required the specialised examination, measurement and reporting of the stub 
pipe counter bore geometry in these engines. No assessment or engine rejection 
criteria were included in the NMSB. 


A 20 flight cycle compliance limitation was specified for the completion of the oil 
feed stub pipe examination. 


ATSB assessment 


Despite the initial Rolls-Royce action to release NMSB72-G595, the ATSB was 
concerned that the bulletin did not place assessment and engine rejection criteria on 
the measurement of the stub pipe counter bore geometry. In addition, the ATSB did 
not consider the 20 cycle limitation as adequately addressing this safety issue. The 
ATSB consulted with CASA, who initiated the actions as detailed below. 
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Action taken by CASA 


On 2 December 2010, CASA issued a maintenance direction to Qantas under 
Regulation 38 of the Civil Aviation Regulations 1988. That direction required that 
Qantas: 


(a) Comply with Rolls-Royce plc Service bulletin number 72-G595 
subsequent and any amendment or revision of it, within two cycles from the 
issue of this direction; 


(b) In the event abnormal or eccentric counter-boring of the tubes described in 
the service bulletin is identified, this must be recorded as a major defect of the 
engine; 


(c) Upon completion of compliance with the service bulletin an entry shall be 
made in the aircraft's maintenance records stating what actions were taken to 
comply with the service bulletin and this direction; 


(d) Upon completion of compliance with the service bulletin a written report 
shall be furnished to [CASA] stating how the service bulletin and this 
direction were complied with and the outcome of compliance with the service 
bulletin. 


ATSB assessment of the CASA action 


The ATSB is satisfied that the action taken by CASA adequately addresses the 
immediate safety of flight concerns in respect of Qantas operation of A380 aircraft 
equipped with Trent 900 series engines. Therefore the ATSB makes no 
recommendation in relation to this issue. 


Further action taken by Rolls-Royce in response to the safety 
recommendation 


On 2 December 2010 Rolls-Royce issued Revision 1 to NMSB 72-G595. This 
revision incorporated assessment and engine rejection criteria for the measurement 
of potential counter bore misalignments, and in particular, a tightening of the 
compliance from 20 to two flight cycles. 


ATSB assessment of the Rolls-Royce action 


The ATSB is satisfied that the action taken by Rolls-Royce adequately addresses 
the immediate safety of flight concerns in respect of Qantas operation of A380 
aircraft equipped with Trent 900 series engines. 


Action taken by Qantas 
On 2 December 2010, Qantas advised that: 


...in response to Service Bulletin RB211-72-G595 (Revision 1), and in line 
with ATSB Safety Recommendation AO-2010-089-SR-012, Qantas will 
conduct a focused borescope measurement inspection of the HP/IP turbine 
bearing support structure oil feed tube for concentricity of the counter-bore 
and inspection of the related components on its RB211 Trent 900 series 
engines. The inspection results will be sent to Rolls Royce for evaluation. 
Rolls Royce will then provide Qantas with formal confirmation as to the 
serviceability of the engine. 
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7.2 


7.2.1 


These inspections will take place within the next 24 hrs on engines in place on 
A380 aircraft currently in service, and before further flight on engines on 
aircraft not yet returned to service. 


ATSB assessment of the Qantas action 


The ATSB is satisfied that the action taken by Qantas adequately addresses the 
immediate safety of flight concerns in respect of the operation of its A380 aircraft 
equipped with Trent 900 series engines. Therefore the ATSB makes no 
recommendation in relation to this issue. 


Subsequent safety actions 


The ATSB's understanding of the occurrence event and the factors contributing to it 
evolved over the course of the investigation. Further contributing safety factors and 
other safety factors were identified and the associated safety actions are set out 
below. 


Intermediate pressure turbine overspeed and burst following 
failure of drive arm due to internal engine fire 


Safety issue 


Following the separation of the IP turbine disc from the drive arm, the engine 
behaved in a manner that differed from the engine manufacturer's modelling and 
experience with other engines in the Trent family, with the result that the IP turbine 
disc accelerated to a rotational speed in excess of its design capacity whereupon it 
burst in a hazardous manner. 


Action taken by Rolls-Royce 


On 3 December 2010, Rolls-Royce released NMSB RB.211-73-AG639, advising 
Trent 900 operators of the introduction of a revised standard of engine management 
software that featured an IP turbine overspeed protection system (IPTOS). 


The IPTOS was intended to detect engine conditions with the potential to lead to an 
IP turbine over speed. In response, IPTOS would shut down the engine before the 
IP turbine disc reached its critical burst speed. Shaft breaks and disc separation, 
such as occurred in VH-OQA can occur for mechanical reasons such as component 
fatigue, an over torque being applied to the shaft or a manufacturing defect, or by 
localised heating such as from an oil-fed fire. During the course of the investigation 
into the No.2 engine failure in VH-OQA, the ATSB was provided a detailed 
summary of the IPTOS protection system, which works on the following logic: 


The first element arms the system, and is based on detecting a prescribed rate 
of temperature change of turbine cooling air at the front (TCAF) or rear 
(TCAR) of the IP turbine. Such rates of change indicate that a fire has 
developed within the engine that may lead to localised heating of the IP 
turbine disc or shaft. 
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7.2.2 


Once armed, if an abnormally high rapid rate of compressor deceleration is 
detected, a shaft break or disc separation is indicated and the EEC (engine 
electronic controller) will instantly shut off the fuel, open all the bleed valves 
and close the variable stator vanes. 


Flight crew are alerted to an IP shaft failure through a flight deck annunciator 
alert that raises the message ‘ENG FAIL-SHAFT FAILURE’. 


Rolls-Royce reported that the engine EEC software upgrade that included the 
IPTOS functionality was incorporated across the Trent 900 fleet by 6 December 
2010. 


Action taken by Airbus 


On 9 December 2010, in conjunction with the release of the Trent 900 IPTOS as 
advised in Rolls-Royce NMSB RB.211-73-AG639, Airbus released service bulletin 
A380-73-8011 to operators of Trent 900 equipped A380 aircraft. This bulletin 
required the IPTOS to be installed across the Trent 900-equipped fleet. 


Action taken by EASA 


On 13 December 2010, EASA issued airworthiness directive AD: 2010-0262 in 
respect of modifying the Trent 900 EEC software by incorporating the IPTOS logic, 
as detailed in Rolls-Royce NMSB RB.211-73-AG639. The airworthiness directive 
required all Trent 900 engines to be modified within 10 flight cycles. 


A full copy of EASA AD: 2010-0262 is available at: 
http://ad.easa.europa.eu/ad/2010-0262 


ATSB assessment of Rolls-Royce, Airbus and EASA safety action 


The ATSB is satisfied that the action taken by Rolls-Royce, Airbus and EASA 
adequately addresses the safety issue in respect of the risk of an IP turbine 
overspeed and burst. Therefore the ATSB makes no recommendation in relation to 
this issue. 


Release of non-conforming oil feed stub pipes into service 


Safety issue 


Numerous other engines within the Trent 900 fleet were also found to contain a 
critical reduction in the oil feed stub pipe wall thickness. 


Action taken by Rolls-Royce 


In December 2010, in response to this safety issue, Rolls-Royce focussed on 
assessing the oil feed stub pipe counter bore geometries across the Trent 900 engine 
fleet. Following a stress analysis and numerical modelling of the stub pipe counter 
bore geometry, a minimum calculated stub pipe wall thickness acceptance limit of 
0.5 mm was established in order for engines to remain in service. Any engine with a 
stub pipe thickness below this limit was removed from service. Wall thicknesses 
were established across the fleet using either: 
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e a specialist borescope visual inspection and measurement of the oil feed 
stub pipe counterbore (NMSB 72-G595) 


* examination of a ‘replicast’ (a rubber-like mould) of the oil feed stub pipe's 
internal features (Technical Variance 108953) 


e  aborescope inspection to identify the serial numbers of relevant HP/IP 
bearing support structures fitted to Trent 900 engines (NMSB 72-643) 


* existing manufacturing data. 


The borescope inspection technique introduced by NMSB 72-G595 was successful 
in identifying in-service oil feed stub pipes with reduced wall sections. However, 
based on the results, the tolerances were not sufficient to provide confidence for 
accurate service management. 


The available manufacturing data was analysed by Rolls-Royce from early 
December 2010 to calculate the oil feed tube wall thickness in some B-standard 
HP/IP bearing support structures and all C-standard structures. Rolls-Royce elected 
to withdraw all of the A-production standard HP/IP bearing support structures due 
to their manufacturing records being unavailable. 


As a result of this action, 40 engines were removed from service having been 
identified with an oil feed stub pipe wall thickness of less than 0.5 mm. This 
resulted in the removal from service of the following engines: 


e 14 engines with an A-production standard HP/IP bearing support structure 


e 23 engines with a B-production standard HP/IP bearing support structure. 
Of these, five were removed from Qantas-operated A380 aircraft 


e Three engines with a C-production standard HP/IP bearing support 
structure. 


Following the occurrence, the stub pipe wall thickness production limit was 
restricted to 0.70 mm for all newly manufactured engines (Figure 93). The revised 
limit was introduced in December 2010, along with enhanced techniques for the 
measurement of critical dimensions within the counter bore region. 


Rolls-Royce production data showed that, after the introduction of this revised limit 
in December 2010, the quality control of the manufacture of the HP/IP bearing 
support structure at the Hucknall facility had improved (Figure 93). 
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Figure 93: Production data for the HP/IP bearing support structures that were 
manufactured at the Hucknall facility 
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ATSB assessment 


The ATSB is satisfied that the action taken by Rolls-Royce adequately addresses 
this safety issue and therefore makes no recommendation. 


7.2.3 Consultation between manufacturing engineers and design 
engineers to ensure maintenance of design intent 


Safety issue 


The engine manufacturer did not require its manufacturing engineers to consult 
with the design engineers to ensure that design intent would be maintained when 
introducing manufacturing datums. 


Action taken by Rolls-Royce 
Rolls-Royce advised the ATSB that: 


In January 2011, a revision to GQP [group quality procedure] ‘Manufacturing 
Technical Package’ was issued that provided greater structure and guidance 
for buy-off [manufacturing acceptance] between design and manufacturing 
personnel. 


ATSB assessment 


The ATSB is satisfied that the action taken by Rolls-Royce adequately addresses 
this safety issue and therefore makes no recommendation. 
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7.2.4 


7.2.5 


Use of manufacturing stage drawings for the first article 
inspection 


Safety issue 


The procedure for the first article inspection process contained ambiguities that 
resulted in an interpretation whereby the use of the manufacturing stage drawings 
was deemed to be acceptable. 


Action taken by Rolls-Royce 


As part of their ongoing quality assurance activities, Rolls-Royce had previously 
revised the group quality procedure for first article inspections to explicitly 
preclude the use of manufacturing stage drawings during the inspection. In addition, 
Rolls-Royce advised the ATSB that in January 2011: 


A revision to the First Article Inspection (FAT) process was also issued that 
provided further guidance to personnel if the design intent could not be met. 


ATSB assessment 


The ATSB is satisfied that the actions taken by Rolls-Royce adequately addresses 
this safety issue and therefore makes no recommendation. 


Culture of acceptance of ‘minor’ non-conforming components 
during manufacture at the Rolls-Royce Hucknall facility 


Safety issue 


A culture existed within the engine manufacturer's Hucknall facility where it was 
considered acceptable to not declare what manufacturing personnel determined to 
be minor non-conformances in manufactured components. 


Action taken by Rolls-Royce 


During the ATSB’s investigation, Rolls-Royce advised that, in June 2007, an 
independent product process audit was conducted at the manufacturer's facility at 
Hucknall. The audit found that items being produced at Hucknall contained high 
levels of non-conformance that were not being reported through the existing non- 
conformance management process. 


The manufacturer reported the following safety actions had been taken in response 
to those audit findings: 


All output from Hucknall [Casings and Structures] (HCAS) was stopped. 


Civil and Defence engineering teams were engaged to assess any 
non-conformance in order to identify anything that could affect fit, form or 
function. 


The CAA were informed of a ‘compliance issue at Hucknall’. 
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7.2.6 


7.2.7 


All HCAS employees were briefed in July 2007, and again in 
October/November 2007. The key message to employees was to emphasise 
the concession process requirement that all non-conformances to the 
engineering drawings must be identified and assessed. 


A major quality investigation (MQI) was raised on 15 August 2007 to 
investigate systems, processes and behaviours. 


These actions were completed in June 2008. 


ATSB assessment 


The ATSB is satisfied that the action taken by Rolls-Royce adequately addresses 
this safety issue and therefore makes no recommendation. 


Difference between drawing datum and coordinate measuring 
machine datum 


Safety issue 


The coordinate measuring machine was programmed to measure the location of the 
oil feed stub pipe interference bore with respect to the manufacturing datum, 
instead of the design definition datum as specified on both the design and 
manufacturing stage drawings. 


Action taken by Rolls-Royce 


Rolls-Royce advised the ATSB that in July 2008, the design definition and 
manufacturing stage drawings had been changed to use the inner diameter of oil 
feed stub pipe as the datum for the oil feed stub pipe counter bore. During March 
and April 2009 both the manufacturing process and the coordinate measuring 
machine program were changed to use that revised datum. Use of the original 
manufacturing datum was discontinued. 


ATSB assessment 


The ATSB is satisfied that the action taken by Rolls-Royce adequately addresses 
this safety issue and therefore makes no recommendation. 


Expert review of statistical analysis in support of retrospective 
concessions 


Safety issue 


The engine manufacturer did not have a requirement for an expert review of 
statistical analyses used in retrospective concession applications. 


Action taken by Rolls-Royce 


On 25 May 2011, Rolls-Royce advised the ATSB that a major corrective action, 
which arose from an internal major quality investigation, was to remove the 
existing retrospective concession procedures from their quality system, and replace 
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7.2.8 


them with a new Global Process titled Management of Undeclared Non- 
Conformance in Delivered Product. 


The global process was developed to ensure an improved and more consistent 
approach across the company when it is identified that parts containing undeclared 
and non-conforming features have been released to the customer for entry into 
service. The global process included a technical review by a statistic expert. 


The global process was incorporated into the engine manufacturer's quality 
management system on 4 July 2011. 


ATSB assessment 


The ATSB is satisfied that the action taken by Rolls-Royce adequately addresses 
this safety issue and therefore makes no recommendation. 


Chief Engineer and Business Quality Director review of 
retrospective concessions 


Safety issue 


The engine manufacturer's process for retrospective concessions did not specify 
when in the process the Chief Engineer and Business Quality Director approvals 
were to be obtained. Having them as the final approval in the process resulted in an 
increased probability that the fleet-wide risk assessment would not occur. 


Action by Rolls-Royce 


On 25 May 2011, Rolls-Royce advised the ATSB that a major corrective action, 
which arose from an internal major quality investigation, was to remove the 
existing retrospective concession procedures from their quality system, and replace 
them with a new Global Process titled Management of Undeclared Non- 
Conformance in Delivered Product. 


The global process was developed to ensure an improved and more consistent 
approach across the company when it is identified that parts containing undeclared 
and non-conforming features have been released to the customer for entry into 
service. The global process requires the Chief Engineer and the Business Quality 
Director to be involved in the process at a much earlier stage to ensure that the 
fleet-wide risk assessment is conducted. 


The global process was incorporated into the engine manufacturer's quality 
management system on 4 July 2011. 


Additionally, Rolls-Royce carried out an independent audit and review of the 
retrospective concession activity for the 2009 to 2011 period. The review revealed 
that only 7 out of 138 retrospective concessions that had been raised within the 
Civil Large Engine business unit were compliant with the engine manufacturer's 
procedures. 


All non-compliant retrospective concessions that had been raised since 2009 were 
subsequently identified and revalidated by the appropriate Chief Engineer and 
Business Quality Director. Other than the retrospective concession regarding the 
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7.2.9 


7.2.10 


misalignment of the oil feed stub pipe counter bores, no safety concerns were 
identified and no in-service activity required. 


ATSB assessment 


The ATSB is satisfied that the actions taken by Rolls-Royce adequately addresses 
this safety issue and therefore makes no recommendation. 


Reporting of significant non-conformances to the quality review 
board 


Safety issue 


The engine manufacturer's group quality procedures did not provide any guidance 
on how manufacturing personnel were to determine the significance of a non- 
conformance, from a quality assurance perspective. 


Action taken by Rolls-Royce 


On 25 May 2011, Rolls-Royce advised the ATSB that a major corrective action, 
which arose from an internal major quality investigation, was to remove the 
existing retrospective concession procedures from their quality system, and replace 
them with a new Global Process titled Management of Undeclared Non- 
Conformance in Delivered Product. 


The global process was developed to ensure an improved and more consistent 
approach across the company when it is identified that parts containing undeclared 
and non-conforming features have been released to the customer for entry into 
service. The global process includes involvement of quality assurance personnel 
from the initiation of the process through to its completion. 


The global process was incorporated into the engine manufacturer's quality 
management system on 4 July 2011. 


ATSB assessment 


The ATSB is satisfied that the action taken by Rolls-Royce adequately addresses 
this safety issue and therefore makes no recommendation. 


Classification of the HP/IP bearing support assembly 


Safety issue 


The manufacturer's classification, relating to the criticality of failure, of the HP/IP 
bearing support assembly was inappropriate for the effects of a fire within the 
buffer space and hence, the requirement for an appropriate level of process control 
was not communicated to the manufacturing staff. 


Action taken by Rolls-Royce 


In February 2012, Rolls-Royce advised the ATSB of the initiation of a major 
quality investigation into Trent 900 failure modes effects and criticality analysis 
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(FMECA) inaccuracies. That investigation was commenced after it was identified 
that the potential for an IP turbine disc failure was not reflected in the Trent 900 
FMECA certification documentation as a hazardous event. Safety action by Rolls- 
Royce included: 


...the Trent 900 FMECAs have been reviewed and updated in light of the 
QF32 event. The Oil System and Transmissions FMECAs have now been 
updated. 


The manufacturer advised that as a result of the review of the FMECA, it had 
reclassified the HP/IP bearing support from ‘unclassified’ to ‘reliability sensitive’. 
This change in classification would require the appropriate level of process control. 


ATSB assessment 


The ATSB is satisfied that the action taken by Rolls-Royce adequately addresses 
this safety issue and therefore makes no recommendation. 


Landing distance calculation at aircraft weights below the A380 
maximum landing weight 


Safety issue 


The calculation method in the aircraft manufacturer’s landing distance performance 
application was overly conservative and this could prevent the calculation of a valid 
landing distance at weights below the maximum landing weight with multiple 
system failures. 


Action taken by Airbus 


On the 28 September 2011, in response to this safety issue, Airbus advised the 
ATSB of the following safety action: 


Airbus has developed a product improvement with the in-flight landing 
distance application OIS 2B+, available to A380 Operators 4 October 2011 
with SB A380-46-8046, that ensures consistency of computation results 
whatever the landing weight, 


Airbus has informed all A380 Operators at March 2011 Flight Safety 
Conference and at May 2011 Performance and Operations Conference. 


A further product improvement will be introduced with future OIS standards 
planned to be available by the third quarter of 2013 that will optimize 
performance calculation and therefore improve consistency of in-flight 
landing distance prediction to actual aircraft capability. 


ATSB assessment 


The ATSB is satisfied that the action taken by Airbus adequately addresses this 
safety issue and therefore makes no recommendation. 
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7.3 


7.3.1 


Airframe certification standards in the case of an uncontained 
engine rotor failure 


Safety issue 


The evolution of the current advisory material relating to the minimisation of 
hazards resulting from uncontained engine rotor failures was based on service 
experience, including accident investigation findings. The damage to Airbus A380- 
842 VH-OQA exceeded the modelling used in the UERF safety analysis and, 
therefore, represents an opportunity to incorporate any lessons learned from this 
accident into the advisory material. 


Action taken by ATSB 


As a result of the identified safety issue, coincident with the release of this 
investigation report, the ATSB has issued the following safety recommendations to 
the European Aviation Safety Agency and the United States Federal Aviation 
Administration. 


ATSB safety recommendation AO-2010-089-SR-039 


The Australian Transport Safety Bureau recommends that the European Aviation 
Safety Agency, in cooperation with the US Federal Aviation Administration, review 
the damage sustained by Airbus A380-842, VH-OQA following the uncontained 
engine rotor failure overhead Batam Island, Indonesia, to incorporate any lessons 
learned from this accident into the advisory material. 


ATSB safety recommendation AO-2010-089-SR-040 


The Australian Transport Safety Bureau recommends that the US Federal Aviation 
Administration, in cooperation with the European Aviation Safety Agency, review 
the damage sustained by Airbus A380-842, VH-OQA following the uncontained 
engine rotor failure overhead Batam Island, Indonesia, to incorporate any lessons 
learned from this accident into the advisory material 


Proactive actions 


Action taken by Airbus 


Although not specifically associated with any of the safety issues identified by the 
ATSB investigation, Airbus advised on 9 March 2013 of the following software 
enhancements for the A380 aircraft. 


Trim tank availability 


A software upgrade to the A380 ECAM was released to all A380 operators via 
Service Bulletin A380-42-8022 on 25 April 2013. The upgrade further emphasises 
the status and availability of fuel trim tank services. 


Operator compliance with the service bulletin was ‘recommended’ by Airbus. 
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Electrical generation and distribution 


Airbus' analysis of the available data after the occurrence established that when the 
aircraft electrical system (feeder cables) were damaged from the liberated engine 
debris, the No. 2 generator line contactor (GLC2) physically opened in order to 
isolate the Primary Electrical Power Distribution Center (PEPDC) from potential 
damage (that is, from short circuits or current spikes). Airbus advised the ATSB 
that the associated current monitoring system onboard the aircraft had actually 
detected that the GLC2 remained in a closed position, even though the contacts had 
physically opened. 


Airbus advised the ATSB that in the first-quarter of 2014, software enhancements 
will be available for the A380 electrical generation, distribution and monitoring 
system. The introduction of a revised software, ‘GGPCU Standard-18’, is intended 
to enhance the capabilities of the of the aircraft electrical system. The software is 
designed to monitor the electrical current at the feeder block to which each GLC is 
connected (as close to the GLC as possible), such that even in the hypothetical 
situation of a short-circuit: 


* residual current from the VFG will no longer affect the monitoring of the 
GLC, with reliable detection of the GLC in the open or closed state 


e recovery of the associated AC BUS bar will no longer be prevented. 
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APPENDIX A: ELECTRONIC CENTRALISED AIRCRAFT 
MONITORING PROCESS WORKFLOW AND TIMELINE 


Introduction 


This appendix outlines the Electronic Centralised Aircraft Monitoring (ECAM) ^ 


procedures that the flight crew most likely were presented with, and then followed 
after the No. 2 engine failed. A brief description of the A380 cockpit layout and 
information display is provided, followed by a description of ECAM, its function 
and use, and how warnings and associated system messages are displayed to the 
crew. Finally, a list of warnings as recalled by the flight crew, followed by the most 
likely ECAM workflow as recreated using data sources on board the aircraft and 
other associated documentation, is highlighted. 


Flight crew - aircraft system monitoring and 
interaction 


The A380 cockpit was designed to allow the aircraft to be operated by two flight 
crew members. There was additional seating for up to another three flight crew 
members behind the two operating crew members. Information pertinent to the 
operation of the aircraft was presented on a number of displays. The flight deck 
instrumentation layout is displayed in Figure A1. 


104 Electronic Centralised Aircraft Monitoring (ECAM), which is a process undertaken by a number 
of aircraft sub-systems. It is not a specific system by itself. 
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Figure A1: A380 flight deck instrumentation layout 
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Image source: Airbus 


There were eight display units that presented various information to the flight crew 
on the operation of the aircraft and its systems. These were: 


* Two Primary flight displays (PFD) that provided short-term flight 
information such as flight attitude, altitude and speed information. 


e Two Navigation displays (ND), which provided medium and long-term 
navigation information. 


* One Engine warning display (EWD), which had two displays. In the upper 
section of this display, engine operating parameters were shown. The lower 
section was the warning display (WD) and could display ECAM checklist 
items, alerts, procedures and memos to assist the crew. 
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* One System display (SD), which was of three sections. The upper section 
displayed aircraft system information and the middle section permanently 
displayed aircraft information. This included the external temperature, time, 
aircraft weight and centre of gravity and fuel on board. The lower section 
displayed the ‘mailbox’, which allowed the crew to communicate with air 
traffic control (ATC) via controller/pilot data link communications 
(CPDLC). 


* Two Multi-function displays (MFD) that provided the crew with an 
interface with the flight management system (FMS), ATC communications 
and the radar surveillance pages. The MFD also provided a backup input 
system for the aircraft's flight control unit (FCU). 


Each of the displays could be re-selected to display any of the other display units in 
the event of a single display unit failure. The normally-selected position of each of 
the displays is at Figure A2. 


Figure A2: Normal display locations 


Image source: Airbus 


ECAM description 


ECAM is a function that continuously monitors the aircraft, its systems and 
operating parameters and provides necessary information and warnings to the flight 
crew, in both normal and abnormal operations. 


ECAM integrates this information from a number of onboard systems, including 
(Figure A3): 


* two flight warning systems (FWS) 
* one ECAM control panel (ECP) 
* four master warning and caution lights 
e four loudspeakers. 
The information is displayed to the crew via the: 


*  EWD for normal checklists, abnormal and emergency procedures, aircraft 
limitations and memos 
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* SD for information relating to specific aircraft systems, the current aircraft 
status, and permanently-displayed aircraft data 


e lower section of the PFD for limitations that have an immediate effect on 
the flight. 


Figure A3: ECAM control locations within the flight deck instrument layout 
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Image source: Airbus 


Operating Modes 


ECAM will automatically select one of four different modes: 


* Inthe normal mode of operation, ECAM automatically displays systems 
and memos to the crew according to the applicable flight phase"? at that 
time. 


* In failure mode, when a system failure is detected, ECAM automatically 
displays the appropriate emergency or abnormal procedure with its 
associated system display. 


* The advisory mode provides the crew with a system display when a 
monitored system parameter starts to move out of its normal position and 


105 To minimise distractions during specific important flight phases (such as during takeoff and the 
initial climb), many abnormal and emergency procedures detected by ECAM are inhibited from 
being displayed. There are 12 separate flight phases on the A380, commencing when electrical 
power is first switched on and ending 5 minutes after the last engine is shut down at the end of the 
flight. 
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reaches predetermined triggering levels (for example, with an increasing oil 
temperature). 


e In manual mode the crew are able to use ECAM to manually select and 
display any applicable system checklist or procedure to assist them with 
operating the aircraft. 


Overall, the ECAM continuously monitored the aircraft and its systems and, when 
conditions were detected that were outside normal monitoring parameters, it 
automatically provided the crew with a warning or a caution depending upon the 
severity of the condition. The appropriate procedure to deal with the condition was 
simultaneously displayed on the lower part of the EWD and the appropriate aircraft 
system page on the SD. 


ECAM Alerts 


There were three levels of warnings and cautions within ECAM, each based upon 
the associated operational consequences of the detected failure. These levels of 
failure included: 


e Level 3 - the highest level of failure indicating an impact on the safety of 
the aircraft. This failure indication was colour coded red and had an 
associated aural warning (master warning). The recommended crew action 
was to respond immediately to the warning. 


* Level 2 - this failure indication defined an abnormal condition to the crew. 
It was colour coded amber with a different aural warning to that of a Level 
3 failure (master caution). The recommended crew action was to be aware 
of the condition and then take appropriate action. 


e Level 1 — defined as a degradation in an aircraft system, this failure 
indication was also colour coded amber but there was no associated aural 
warning (master caution visual only). The recommended crew action was to 
be aware of the condition. 


When multiple failures or out-of-limits conditions were detected by ECAM they 
were prioritised according to the programmed ECAM logic. "^ In that event, the 
highest priority procedure relating to the sensed condition was displayed first. 


When ECAM detects multiple system failures and has displayed them to the crew 
(abnormal procedure), the in-built ECAM logic meant that the crew are presented 
with the most important procedures first. Airbus operational philosophy means that 
each abnormal procedure, in order of importance, has to be completed by the flight 
crew before they move onto the next procedure. If the flight crew were attending to 
a lower priority ECAM, a higher priority ECAM would cease that procedure and 
display the higher priority ECAM for action. 


If an ECAM message disappeared either before the crew could action the procedure 
or while they were actioning the procedure, the Flight Crew Training Manual 
(FCTM) - Operating Philosophy — Abnormal operations and ECAM section 
indicated that the crew could consider that the warning or caution was no longer 
applicable. Application of any current procedure could be stopped. 


106 ECAM system logic is programmed to deal with every system requiring an alert as per aircraft 
certification rules. 
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The information displayed in response to ECAM detection was colour coded to 
provide assistance to the crew in determining its importance. The colour codes 
were: 


e Red - configurations or failures that required immediate action by the crew. 
This included specific limitations on crew action such as LAND ASAP (as 
soon as possible). 7 


e Amber - configurations or failures that the flight crew should be aware of, 
but did not require immediate action by the crew. When conditions 
permitted, these were required to be attended to without delay to prevent 
further degradation of affected systems. It also displayed specific 
limitations to the crew such as LAND ANSA (land at nearest suitable 
aerodrome). '? 


e Green — information relating to the procedure, checklist items already 
completed by the crew and memo items resulting from completed 
procedures. 


* White — procedures completed by the crew, condition items and titles of 
procedures. 


e Blue - actions to be completed in a procedure, limitations to be followed, 
checklist items not yet completed. 


e Grey — checklists completed by the crew, and actions not yet validated by 
the crew. 


ECAM Operation 


An example ECAM procedure as displayed to the crew on the lower part of the 
EWD is depicted in Figure A4. 


17 Defined by Airbus as being part of specific emergency procedures, in which case the applicable 
ECAM procedure contained a ‘LAND ASAP’ message. This indicated that the crew should land 
as soon as possible at the nearest suitable airport at which a safe approach and landing can be 
performed. 


108 Defined by Airbus as part of certain abnormal procedures. In these cases, the applicable ECAM 


procedure contained a ‘LAND ANSA’ message. This indicated that the crew should consider 
landing at the nearest suitable airport. 
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Figure A4: ECAM Procedure Display (representative) 
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Image source: Airbus 


Crews were required to work through the procedure from the top to the bottom, 
moving the applicable cursor as they did so and completing the required actions 
until the procedure was completed. The normal operating philosophy was that the 
pilot who was not handling the aircraft’s controls managed the ECAM procedures 
and sought confirmation from the handling pilot as required. 


For each item in a procedure, the pilot who was not handling the controls read each 
step in the procedure out aloud, carried out the applicable action and then marked 
that action as complete using the ECP. Some procedure items required the correct 
switch or control to be positively identified by both crew members before being 
activated. As a consequence, the workload for each procedure varied. 


Once a crew had dealt with all displayed ECAM messages, the system displayed a 
STATUS (STS) screen. This screen: 


* allowed the crew to review any applicable information on the impact of the 
ECAM procedures on the applicable aircraft systems 


e alerted the crew to any procedures requiring completion before entering 
certain phases of flight (for example, descent or approach), and any 
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operational limitations imposed by the failure or degradation of aircraft 
systems 


e presented pertinent information relating to the operation of systems that 
may have been affected as a result of the detected failures 


e indicated a list of inoperative systems on the aircraft. 


If there were significant lists of information that needed to be presented to the crew, 
this would be indicated by a MORE indication at the bottom of the STATUS page. 


Crew recollection of the initial ECAM messages 


The flight crew recalled the following systems warnings and inoperative system 
messages on ECAM after the failure of the No. 2 engine: 


* engines No. 1 and 4 were operating in a degraded mode 

e Green hydraulic system — low system pressure and low fluid level 
e Yellow hydraulic system — engine No. 4 pump errors 

e failure of the alternating current (AC) electrical No. 1 and 2 bus systems 
* flight controls operating in alternate law 

e wing slats inoperative 

e flight controls — ailerons partial control only 

e flight controls — reduced spoiler control 

e landing gear control and indicator warnings 

* multiple brake system messages 

* engine anti-ice and air data sensor messages 

* multiple fuel system messages, including a fuel jettison fault 

* centre of gravity messages 

e autothrust and autoland inoperative 

e No. 1 engine generator drive disconnected 

e left wing pneumatic bleed leaks 


e avionics system overheat. 


Manufacturer assessment of ECAM warnings 


The aircraft manufacturer, Airbus, advised the ATSB that all ECAM messages that 
were displayed to the crew were associated with an actual aircraft condition and 
were therefore considered to be valid messages. 


When the flight crew noticed that the YELLOW Hydraulic system was affected, yet 
all the damage was on the side of the aircraft in which the GREEN hydraulic system 
was located, they questioned the validity of the ECAM messages being presented to 
them. A discussion ensued, the outcome of which was that the crew agreed to assess 
and action the ECAM messages as they were displayed to them. 
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Reconstruction of ECAM sequence 


The voice recording of crew actions and dialogue immediately following the engine 
failure was not available to the ATSB due to limitations of the 2 hour cockpit voice 
recorder and the extended duration of the ground operations. The available recorded 
voice commenced after the crew had completed all of the applicable ECAM actions 
and the aircraft was on approach to Changi Airport, Singapore. The ATSB used 
other data sources and the crew's recollection of events to recreate the ECAM 
timeline and associated workflow. 


The time taken by the flight crew to respond to specific ECAM warnings and 
cautions was not directly recorded in any of the data sources on board the aircraft. 
However, the times and methods of the applicable system page display were 
recorded and the ECAM warnings and cautions were recorded in one of the onboard 
computer systems. The time each warning was CALCULATED, DISPLAYED and 
RESET’ was also recorded in that data. 


ECAM logic provides a particular priority to each specific warning, and certain 
messages may be inhibited during certain flight phases. There are 12 separate flight 
phases on the A380. During each of these flight phases, depending upon the type of 
procedure and its importance to the particular phase of flight, specific ECAM 
messages may be inhibited from display to the crew so as not to cause a distraction. 
When a large number of ECAM messages are generated, the priority logic ensures 
that the crew see the most important ones first. Less important ones may be at the 
end of the queue and therefore not initially visible to the crew due to the length of 
the preceding procedures on the ECAM display. 


The FCOM indicated the annunciation of each warning to the crew in terms of 
whether there was an audio alert, a visual alert, a local light and/or the automatic 
display of the applicable system page. By correlating the applicable system page, 
the recorded ECAM warning and its relevant priority, the DISPLAY time and 
FCOM indications and the changes in aircraft systems and control positions, the 
most likely ECAM sequence processed by the crew was recreated. 


A number of ECAM procedures were recorded on more than one occasion during 
the sequence as a result of the particular ECAM being marked as RESET before the 
triggering conditions reoccurred. Where a recording time was indicated, this 
corresponded to the time that the system display (SD) page displayed the specific 
ECAM message, or the time at which specific events took place. These times are 
displayed in Coordinated Universal Time (UTC). Therefore the order in which the 
ECAM messages are listed in the following reconstruction is the likely order in 
which they presented to the crew. 


109 There were three separate conditions for each ECAM system warning or caution. If the parameters 
for a warning or caution were met, then the ECAM recorded that the warning was 
CALCULATED. The applicable ECAM procedure DISPLAYED on the EWD and, if there was an 
applicable system page to be called up as part of the warning, this was DISPLAYED on the SD 
monitor. Certain flight phases could inhibit the warning. Once a crew actioned the procedure, or 
the conditions were no longer present, the system RESETs the warning so that it is available later 
in the flight if needed. 


—171- 


ECAM procedure timeline 


The ECAM procedure timeline has been broken up into smaller segments to aid in 
reading and understanding of the ECAM procedures affecting the crew. The 
timeline is contiguous from one diagram to the next, that is, the next diagram starts 
immediately after the end of the previous one. 


The following information is provided to enhance reader understanding of the 
ECAM timeline: 


e Each system page is displayed via a different colour as follows: 
System page called by Warning 
System page called by Advisory 
System page called by Flight Phase 


System page called manually by flight crew 


e The start time and duration each page display is shown as 02:02:10 — 
02:02:28 (in this case meaning an 18 second display). 


e The name of the applicable system page is displayed below the time scale. 


e The applicable ECAM procedure that was most likely to have triggered the 
system page display, or was found from the data analysis to have occurred 
at a particular time, is displayed in the following convention: 


FUEL FEED TK 2 MAIN+STBY PMPS FAULT. 
An arrow indicates the message's place on the timeline. 


e Specific activities are commented on by the ATSB such as - APU 
STARTED 


The timeline starts at 02:00:00 and ends after the aircraft stopped on the runway at 
03:46:45. 


ECAM following the engine failure 


The first ECAM message was displayed at 02:01:08 and confirmed by the flight 
crew as ENG 2 TURBINE OVHT (Figure A5). There was no system page 
displayed with this message. Therefore the applicable system page at that time was 
the CRUISE" page. Many other ECAM warnings continued to be generated 
following the engine failure. At 02:01:30, nearly all the warnings were recorded as 
being RESET. The warnings were recorded as reappearing some 27 seconds later 
and were again displayed to the crew. 


The data showed that at 02:09:56 the crew manually selected the ENGINE system 
page. The flight crew indicated that at this time, they could see that one of the 
upcoming ECAM warnings related to the Yellow hydraulic system. Knowing that 
the Yellow system was powered by the still-running engines No. 3 and 4, the crew 
were questioning the effect of any aircraft damage on the functionality of the 
ECAM itself. The crew reported that, to assist their decision making as to whether 
the ECAM was functioning correctly, they selected the ENGINE and 


110 The CRUISE system page is displayed automatically when the aircraft passes 1,500 ft above the 
airport of departure or on reaching the thrust reduction altitude, whichever is higher. 
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HYDRAULIC pages to identify any damage to engines No. 3 and 4, or to the 


Yellow hydraulic system. 


Figure A5: ECAM timeline 02:00:00 to 02:12:05 


02:01:08 

ENG 2 TURBINE OVERHEAT 
02:01:09 

ENG 2 STALL 

ENG 2 OIL TEMP HI 

ENG 2 EGT OVER LIMIT 
02:01:13 

F/CTL SLAT SYS 1*2 FAULT 

HYD G RSVR PRESS LO 

HYD Y ENG 4 PMP A PRESS LO 

HYD Y ENG 4 PMP B PRESS LO 

L/G CTL 1 FAULT 

AIR L OUTR WING LEAK 

AIR L INR WING LEAK 

AIR ENG 2 BLEED LEAK 
02:01:14 

F/CTL PART SPLRS FAULT 

F/CTL ALTN LAW (PROT LOST) 

L/G CTL 2 FAULT 


02:01:15 
ELEC DRIVE 1 DISCONNECTED 


HYD G RSVR LEVEL LO 
02:01:16 

ELEC C/B TRIPPED 

ELEC DRIVE 2 DISCONNECTED 
02:01:17 


F/CTL L MID AILERON FAULT 


02:01:30 

NUMEROUS ECAM 
PROCEDURES RESET 
02:01:51 - 02:02:17 
Engine 
02:02:42 - 02:04:2 
Engine 


02:00:00 


02:02:41 
ne 


ENG 2 FAIL 


ENG 2 FIRE 


LOW 


ENG 2 TURBINE 
OVERHEAT 


BRAKES A-SKID FAULT ON WING LG 


F/CTL AILERON ACUATOR FAULT 
F/CTL AILERON ELEC ACUATOR FAULT 


02:04:25 - 02:06:29 


02:06:30 - 02:06:38 


(RESETS AFTER 3 SECONDS) 


ENG 2 OIL PRESSURE 


02:01:18 
ELEC AC BUS 2 FAULT 
ENG 2 NORM MODE FAULT 
02:01:23 
A-ICE WING VLV OPEN 
A-ICE ENG 1 VLV OPEN 
A-ICE ENG 2 VLV OPEN 
02:01:24 
AIR L OUTR WING LEAK 
AIR L INR WING LEAK 
AIR ENG 2 BLEED LEAK 
02:01:25 
FUEL JETTISON VLV NOT CLOSED 
ENG 1 NORM*ALTN MODE FAULT 
ENG 2 NORM+ALTN MODE FAULT 
ENG 4 NORM+ALTN MODE FAULT 
02:01:28 


F/CTL AILERON ACTUATOR FAULT 


Engine AUTO FLT A/THR OFF 


02:06:39 - 02:06:42 
Cruise 


F/CTL SLAT SYS 1*2 FAULT 


02:12:05 


43 - 02:07:18 
F/CTL 
ISHUTDOWN 


HYD G SYS PRESS LO 


Wheel 


VENT COOLG SYS OVHT 


HYD G RSVR AIR PRESS LO 


HYD G RSVR LEVEL LO 


The crew manually selected the HYDRAULIC system page at 02:12:06, again to 
assist their decision making in relation to the displayed ECAM warnings. They 
discussed the information available to them, and considered the information from 


the system pages. The crew recalled that this discussion took some time, after which 
they decided that it was unlikely that ECAM was malfunctioning and that they 
should action the ECAM procedures as displayed. Recorded data showed that the 


crew actioned the ECAM procedure for the Yellow hydraulic system and the 


Eug 


applicable position of the HYD Y PMP A+B action is displayed accordingly in 
Figure A6. 


ECAM procedures after the aircraft entered the holding pattern 


The aircraft entered the holding pattern at 02:18:05. The crew reported that a 
number of already actioned ECAM procedures, specifically related to the fuel 
system, reappeared during the ECAM sequence after that time. Airbus indicated 
that one of these procedures was to reset the fuel quantity management system 
(FQMS) and as part of that reset, any applicable ECAM procedure already 
completed would be recalled. The FQMS reset time is displayed in Figure A6. 


Figure A6: ECAM timeline 02:12:06 to 02:23:02 


FUEL NORM+ALTN XFR FAULT 


ADVISORY LOW OIL QUANTITY ENG 2 FUEL FEED TK 2 MAIN+STBY PMPS FAULT 


FUEL NORM*ALTN XFR FAULT 
FUEL JETTISON VLV NOT CLOSED 


Data shows that checklist items for FQMS RESET AS PART 
HYD Y ENG 4 PMP A*B actioned OF ECAM PROCEDURE 


FUEL NORM*ALTN MODE FAULT F/CTL\PART SPLRS FAULT 


FUEL JETTISON VLV NOT CLOSED 


02:22:42 - 02:28:02 
Fuel 


AIR L INR WING|LEAK 

HYD Y ENG 4 PMP A PRESS LO AIR L OUTR WING LEAK 

HYD Y ENG 4 PMP B PRESS LO AIR ENG 2 BLEED LEAK 
16:43 


02:21:56,- 02:22:05 


02:12:06 2:23:02 
ELEC AC 


02:16:20 - 02:16;29 02:18:43 - 02:19:33 eae) me 2:22:42 
L/AC Bleed um UT 


EL/AC 


ENG 1 NORM*ALT MODE FAULT 
ENG 2 NORM*ALT MODE FAULT 
ENG 4 NORM*ALT MODE FAULT 


ELEC AC BUS 2 FAULT 


FUEL JETTISON VLV NOT CLOSED 


The crew reported that whenever a fuel-related ECAM displayed, and due to the 
extensive damage to the fuel system and number of problems displayed on the 
associated FUEL system page, they took considerable time understanding the 
ECAM procedure and the action in response. The crew took care to fully 
understand each system display before following a procedure on a system that was 
displaying significant damage. Figure A7 records the FUEL system page display for 
8 minutes and 2 seconds and accords with the flight crew's recollection. 


du 


Figure A7: ECAM timeline 02:23:03 to 02:31:45 


ADVISORY LOW OIL QUANTITY ENG 2 


F/CTL ALTN LAW (PROT LOST) 


02:81:07 - 02:31:35 


02:23:03 Qu :45 


FUEL L INR TK FWD*AFT PMPS FAULT 44: 34: 
FUEL R INR TK FWD*AFT PMPS FAULT — n 


The first officer recalled that, during the time that the ECAM messages were being 
processed, there was a recurring ADVISORY LOW OIL QUANTITY ENG 2 
message. This advisory can be seen in a number of places throughout the timeline 
(Figure A7 and Figure A8), with two occurrences shown in Figure A8 and another 
in Figure A9. 


Figure A8: ECAM timeline 02:31:46 to 02:34:45 


ADVISORY LOW OIL QUANTITY ENG 2 


\ \ 
A-ICE ENG 1 VLV OPEN 


FUEL FEED TK 2 MAIN+STBY PMPS FAULT, 


02:34:18 - 02:34:45 
Engine 


02:33:18 - 02:33:22 


(02:31:46 | | 02:34:45 


02:33:06 - 02:33:17 
Engine 


FUEL WINGS NOT BALANCED 
FUEL L INR TK FWD*AFT PMPS FAULT 
FUEL R INR TK FWD*AFT PMPS FAULT 
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Figure A9: ECAM timeline 02:34:46 to 02:37:30 


L/G CTL 2 FAULT 


F/CTL L OUTR AILERON FAULT 
F/CTL R OUTR AILERON FAULT 


F/CTL L MID AILERON FAULT 
aai = A-ICE L WING VLV OPEN 
F/CTL AILERON ACTUATOR FAULT 02:36:26 - 02:36:33 
Cond 
02:34:46 - 02:35:01 02:35:59 - 02:36:10 02:36:42 - 02:37:19 
FICTL FICTL 


2:346 | | | | | 02:37:30 


TS er 02:36:11 - 02:36:25 
ELEC C/B TRIPPED 02:35:61 -02:36:58 Wheel 
Engine \ 
\ 02:36:34 - 02:36:41 02:37:20 - 02:37:30 
ADVISORY LOW OIL QUANTITY ENG 2 ELIAC Bleed 


COND FWD CARGO VENT FAULT 


At 02:37:31, the crew actions in respect of the list of ECAM messages were 
complete and the STATUS (STS) page was displayed to the crew. Over the next 
7 minutes, the crew reviewed the aircraft systems and associated procedures and 
limitations via that page. Subsequently the crew decided to start the APU in an 
attempt to alleviate some of the electrical system problems. The crew manually 
selected the APU page and started the unit at 02:45:22 (Figure A10). 


Figure A10: ECAM timeline 02:37:31 to 02:46:14 


ENG 2 FIRE DET FAULT 02:45:22 - 02:46:14 


/ APU START APU 
02:37:31 | | 02:46:14 


02:44:38 - 02:45:21 
Fuel 


Once the APU was running, the system display pages changed to those being 
manually selected, rather than being automatically displayed as part of the ECAM 
function. That was consistent with the crew progressing through a number of 
different systems and their recollection of seeking to understand what damage had 
occurred, and what systems functionality remained. These pages are displayed in 
Figure A11. 
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Figure A11: ECAM timeline 02:46:15 to 03:13:42 


03:00:27 - 03:00:34 
Engine 


02:46:15 - 02:52:34 02:52:47 - 03:00:26 
STS STS 


03:01:09 - 03:05:30 URL APR 
Fuel 


F/CTL 
| | 03:13:42 


02:52:35 - 02:52:46 03:00:35 - 03:01:08 03:05:32 - 03:12:14 
Fuel STS STS 


02:46:15 


At 03:13:43, the CRUISE page was once again selected. All of the required ECAM 
actions were completed by that time and the crew later reported that they had begun 
to understand the effect of the engine failure on the aircraft and its systems. 


The flight crew commenced preparing the aircraft for landing at Changi Airport and 
accessed the Landing Distance Performance Application to determine the 
performance in the case of an overweight landing. The supporting ECAM 
procedure for OVERWEIGHT LDG is displayed in Figure A12. The de-selection of 
autopilot is also shown, consistent with the conduct by the crew of a manual control 
check of the aircraft. ™ 


Figure A12: ECAM timeline 03:13:43 to 03:26:17 


AUTO FLT AP OFF 


03:13:43 - 03:13:44 03:16:33 - 03:18:03 03:26:04 - 03:26:17 
Engine Fuel F/CTL 


03:13:45 - 03:16:32 


e 03:23:06 - 03:26:04 
Cruise 


MISC OVERWEIGHT LANDING Fuel 


ECAM procedures after the aircraft left the holding pattern 


The aircraft left the holding pattern about 03:28:00 and was vectored to the final 
approach course. Figure A13 shows the system page display as the crew manually 
selected various system displays to further enhance their understanding of the 
condition of the aircraft and its systems. It also has two occurrences where the page 
reverted to the CRUISE page and where the crew selected the flight control page. 
The crew reported that the selections of the flight control page were to further 
assess the aircraft’s controllability during reconfiguration. 


111 The actual flight controls (ailerons, spoilers, elevators and rudders) are not directly viewable from 
the cockpit. The only way that a crew can assess control functionality is to select the applicable 
F/CTL system page and monitor the displayed deflection of each control as they manoeuvre their 
aircraft. 


sae fe 


Figure A13: ECAM timeline 03:26:18 to 03:37:57 


ENG 2 THR LEVER FAULT 
ENG 1 NORM*ALTN MODE FAULT 


ENG 1 NORM*ALTN MODE FAULT 
ENG 2 NORM+ALTN MODE FAULT 
ENG 4 NORM+ALTN MODE FAULT ENG 4 NORM*ALTN MODE FAULT 


03:26:18 - 03:27:45 03:28:56 - 03:29:09 
STS EL/AC 3:34:33 - 03:35:13 


STS 


3:26:18 | | 


03:27:46 - 03:28:35 
Cruise 


03:37:57] 


03:29:10 - 03:29:45 
Cruise 03:35:14 - 03:35:16 


AIR PACK REGUL DEGRADED Cruise 
AUTO FLT AP OFF 


ECAM procedures during the final approach and landing 


Figure A14 shows the aircraft during the final approach to Changi Airport and 
includes the manual extension of the landing gear. It also shows that the landing 
gear was down and locked at about 03:37:57 as indicated by the automatic display 
of the WHEEL page.'" 


After the aircraft landed and the speed passed below 80 kt, a number of ECAM 
messages that were previously inhibited by the flight phase were displayed to the 
crew. Once the aircraft came to a stop and the crew had, to the extent possible shut 
down the aircraft, additional ECAM messages that would normally have been 
displayed at that time remained inhibited due to ongoing phase of flight parameters. 
These parameters normally ceased 5 minutes after the final engine was shut down. 
In this instance, the continuing operation of the No. 1 engine meant that the aircraft 
had not yet reached the final flight phase. 


!7 The WHEEL system page is called automatically when the aircraft landing gear is lowered on 
approach to land. 
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Figure A14: ECAM timeline 03:37:57 to 03:46:45 


The following ECAM messages appeared after the aircraft came 
to a stop. 


03:48:18 
ELEC AC BUS 2 FAULT 
F/CTL ALTN LAW (PROT LOST) 
03:49:02 
STEER NORM N/W STEER FAULT 
03:49:05 
BRAKES NORM BRK PRESS MONITORING FAULT 
BRAKES ALT BRK PRESS MONITORING FAULT 
ENG 1 FIRE LOOP A FAULT 
CABIN DRAIN MASTS HEATING FAULT 
03:49:08 
ENG 1 HP VLV FAULT 
03:49:09 
FUEL L INR TANK FWD PMP FAULT 
ENG 1 FIRE DET FAULT 
03:49:11 
F/CTL ALTN LAW (PROT LOST) 


03:39:34 - 03:40:01 03:46:03 - 03:46:45 
F/CTL 03:42:53 - 03:43:04 STS 
03:37:57 - 03:38:12 Fuel 


Wheel 


i -— 


03:37:5, AUTO FLT AP OFF 03:46:45. 
48. -49- The following ECAM messages appeared as the 
:38:13 - 03:39: 
= pin — aircraft slowed below 80 knots during the 
03:40:02 - 03:40:32 landing roll. There were not displayed in flight 


Wheel due to flight phase inhibition. 


FUEL ENG 2 LP VLV FAULT 
HYD G ELEC PMP A FAULT 
HYD G ELEC PMP B FAULT 


A-ICE L WING VLV OPEN 

ENG 1 OVERTHRUST PROT LOST 

ENG 4 OVERTHRUST PROT LOST 

ENG 1 MINOR FAULT 

ENG 4 MINOR FAULT 

HYD G FUEL HEAT EXCHANGER VLV FAULT 


dy 
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APPENDIX B: DETAILED DAMAGE DESCRIPTION 


Introduction 


The No. 2 engine sustained an uncontained failure when the intermediate pressure 
(IP) turbine disc burst into three main fragments, resulting in a complete 
circumferential breach of the engine case. Once the engine case was breached, high 
energy disc segments, associated turbine blades and other engine debris were 


released and impacted the airframe. 


A large fragment measuring approximately 4096 of the total disc circumference was 


recovered from Batam Island, Indonesia. 


It is likely that at least one of the three main disc fragments broke up into smaller 
pieces during its initial ballistic trajectory through the engine case, before impacting 
the left wing structure. A smaller disc fragment and associated engine debris 
penetrated through the wing-to-body fairing and impacted airframe structure. 
Smaller, high-energy disc fragments and engine debris also impacted the airframe, 


resulting in significant damage (Figure B1). 


Figure B1: Trajectory of the major disc segments. Two main fragments 
impacted the wing. A smaller, high energy fragment followed a 
different ballistic trajectory and penetrated the fuselage belly 


fairing structure. 


^ 


Two sections of the liberated disc 
|| | went through the left wing leading 
edge and front spar 


One section went through the 
belly fairing 


One additional section 
was found on ground 


Image source: Airbus 


Damage to wiring looms located in the left wing and the fuselage belly fairing 
resulted in the loss of a number of redundant systems that used segregated control 


wiring. Those systems included: 


e loss of the fuel isolation valves (LPSOV) for the No. 1 and No. 2 engine 
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* Joss of the fire protection system for the No. 1 engine 
* all means of shutting down the No. 1 engine 
* loss of function of the Green hydraulic system 


* Joss of fuel transfer system. 


This Appendix describes the structural airframe and system damage/degradation 
following the failure. 


Airframe structural damage 


The uncontained engine failure caused significant damage to the following airframe 
structures: 


*  No.2 engine pylon 
e No. 2 engine thrust links 
* left wing box structure, including the: 
— front spar 
— upper wing skin 
— lower wing skin 
— wing ribs 


e fuselage butt-straps number three and four. 


No. 2 engine pylon 


The engine pylon attached the engine to the wing. The No. 2 engine pylon sustained 
impact damage to its sidewalls including bending, scratches and small gouges. A 
section of the pylon was deformed along its length and width (Figure B2). 


Figure B2: Inboard side of the No. 2 pylon highlighting the deformation and 
the severed thrust struts (links) 


X Deformed section 
il of pylon 


wien) EP N, LI 
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No. 2 engine thrust link assembly 


The thrust link assembly transfers engine thrust load to the wing through the pylon 
and is comprised of a cross beam and two thrust struts (Figure B3). Each thrust strut 
is designed to withstand the limit loads of the engine thrust. Both thrust struts were 
severed as a result of impacts from the liberated engine debris (Figure B4). 


Figure B3: Engine thrust link assembly location in relation to the engine 


Image source: Airbus 
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Figure B4: Fractured tubular thrust struts 


ree] Engine pylon 


Thrust struts 


Left wing 


The aircraft’s left wing structure (Figure B5) comprised of the following main 
components: 


* the centre wing carry through structure, which forms part of the fuselage 
and gives attachment points for the wings 


e the left and right wing structures, each of which includes the wing box, 
wingtip, leading edge and leading edge devices and the trailing edge 
devices. 


The critical structural component of the wing is the wing box, which is comprised 
of the wing spars, upper and lower wing skins and ribs. 


-184- 


Figure B5: Left wing general layout 


Wing Box Structure 


Leading Edge Devices 


Trailing Edge Devices 


Wing Tip 


Image source: Airbus 


Wing damage 

A section of the fractured turbine disc penetrated through the engine case, before 
continuing through the wing's non-structural composite leading edge and wing spar 
and then exiting through the upper wing skin (wing box structure) in a trajectory 
that projected over the fuselage. The areas of significant damage to the wing are 
shown in Figure B6. 
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Figure B6: Left wing schematic showing the locations of significant wing skin 
damage and distribution of debris path 


\ @ Perforation of wing bottom skin 


© Perforation of wing upper skin 


zs f À @ Perforation of fairing 
\ v Line / plane of damages | ~. Debris area 

| ` 

t J o 


Image modified from an Airbus supplied image 


Left wing upper and lower skin 


The upper and lower wing skins were each comprised of five separate panels 
(Figure B7). The multiple wing panel design provided a degree of protection 
against crack propagation across the wing skin. 


Figure B7: Upper wing skin panels 


Panel 5 


Panel 4 Panel 3 


Image source: Airbus 
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Left wing lower wing skin damage 


Lower wing skin (Figure B8) comprised of panels 1, 2, 3 and 4 (Figure B9). Impact 
damage was evident in 35 locations, including 2 perforations through to feed tank 2 
(Figure B10 to Figure B13). 


Figure B8: Lower wing structure highlighted in orange 


Image source: Airbus 


Figure B9: lower wing skin panels 


Panel 5 E e 


Panel 4 


Image source: Airbus 


Damage to the left wing lower skins included two puncture holes and impact 
damage including scores, dents and gouges measuring from a few millimetres to 
about 200 mm in length (Table B1). Most of the damage was concentrated between 
ribs No. 8 to Rib No. 14, with additional damage evident further outboard. A 
significant amount of fuel leaked from feed tank No. 2 as a result of the puncture 
holes. 
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Table B1: Wing lower skin damage 


Rib Stringer Damage type Damage polar Damage 
location number length mm rim depth mm 
4 8-9 Score damage 28 14 0.75 
4-5 5-6 Score damage 12.5 7.4 0.32 
6-7 7-8 Score damage 
6-7 9 Dent & score 58 14 3 
7 5-6 Score damage 35 7 0.65 
7-8 5-6 Dent & score 75/35 25/25 6/0.6 
7-8 6 Dent & score 13 5 1.5 
7 FS Hole & dent 220 90 Hole 
6-7 FS Dent & score 18 12 2.2 
7-8 FS Dent & score 45 20 2 
7-8 3 Dent & score 30 15 1.3 
8 3-4 Dent & score 70 18 5 
8-9 5-6 Dent & score 23 10 2.2 
8-9 1 Dent & score 10 6 1.2 
9-10 1 Dent & score 22 7 1.2 
10-11 6 Dents & scores 45 10 1 
10-11 1 Scores 55 20 6 
10-11 6 oue i Lm 140 110 Hole 
10-11 4 Several dents and 80 40 05 
scores 
10-11 FS Hole and scores 60 60 Hole 
12-13 FS Dent & score 40 30 4.9 
12-13 4-5 Score damage 34 6 1.5 
13-14 3-4 Score damage 23 10 0.8 
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Figure B10: Penetration damage to the lower wing skin and droop nose flap 
from major IP turbine disc fragments and other engine debris that 
were ejected after the burst 


Droop nose flap 


Leading edge composite panels 
| 


Figure B11: Lower wing skin perforations (circled) leading to fuel leakage 
from the No. 2 feeder tank 
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Figure B12: Puncture damage to the left-lower wing skin looking forward from 
inside the wing 


Figure B13: Impact damage to the lower wing skin 


Impact damage to 
wing leading edge 
composite structure 


Upper wing structure damage 


The upper wing skin (Figure B14) had significant damage from a disc fragment that 
had passed through the engine case, front spar and exited through wing upper skin 
panel No. 1, between Ribs 9 and 10 and stringer 2 and the front spar (Table B15 
and B16). 


The exit damage hole measured approximately 450 mm by 100 mm, and was 
located 100 mm rearward of the front spar between Rib 9 and Rib 10. 
Approximately 166 cm? of upper wing skin material was liberated. 
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A chordwise crack about 300mm length also emanated from the forward point of 
the damage. 


Figure B14: Upper wing skin structural panels highlighted in orange 


Image source: Airbus 
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Figure B15: Upper wing damage showing structural and non-structural 
damage 
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Figure B16: Damage to the upper wing skin from a significant disc fragment, 
panel No. 1 between Ribs 9 and 10 


Inboard 


Upper wing skin 


Left wing front spar 


The front spar is comprised of five segments and formed part of the box structure 
and the integral wing fuel tank. Joint plates connected these segments to make one 
structure. A feature of the spar's construction was the closely pitched vertical and 
horizontal stiffeners. In the event of damage, these stiffeners were designed to act 
as shear panel boundaries by providing edge support and to limit crack propagation 
and the subsequent loss of structural integrity of the remaining intact panels. 


The front spar was punctured in four areas between the No. 2 engine and the 
fuselage. It was evident from streaking of the anti-corrosion coating that fuel had 
escaped through the damaged structure (Figure B17). 


The largest hole had an area of about 35 cm x 35 cm due to impact by a section of 
the liberated turbine disc (Figure B17). There were four visible cracks emanating 
from that hole. Vertical and horizontal stiffeners on the aft surface of the spar were 
also damaged. There were three other smaller holes of about 35 cm’, 10 cm^ and 7 
cm (Figure B18 and Table B2). 
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Figure B17: Impact damage from penetration of a disc fragment through the 
front spar of the left wing. The fragment continued in its trajectory 
to exit through the upper wing skin 
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| Anti-corrosion 
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Figure B18: Damage schematic of the left wing front spar, looking at the 
forward side that extended between Rib 8 and Rib 14 


pann oe [33] 


Image source: Airbus 
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Table B2: Wing front spar damage 


Item Rib Damage type Length Width Depth 
1 8-9 Scrape 73 18 2 
2 9-10 Hole & impact damage 350 350 Hole 
3 9-10 Hole & impact damage 82 20 Hole 
4 10-11 Hole & impact damage 150 120 Hole 
5 10-11 Scrape 16 15 4 
6 11 Scrape 7 5 1.25 
7 11-12 Scrape 18 4 1 
8 10-11 Scrape 12 5 2.1 
9 10-11 Several scrapes 70 40 1.6 
10 11-12 Several scrapes 22 11 3.5 
11 12-13 Several scrapes 17 5 1 
12 12-13 Hole 86 40 Hole 
13 12-13 Scrape 5 2 1 
14 12-13 Scrape 20 5 1.3 
15 12-13 Scrape 22 10 0.4 
16 12-13 Scrape 25 12 0.1 
17 13-14 Scrape 9 5 0.35 
19 13-14 Scrape 16 10 0.4 
19 12-13 Scrape 22 1 0.1 
20 8 Impact damage nil 


Internal rib damage 


The wing ribs are located between the spars and formed part of the integral wing 
box structure. Wing ribs 8 to 14 had impact damage from disc fragments, engine 
and airframe debris (Figure B19). 


Engine debris was recovered from inside the wing between ribs 8-10 (Figure B20), 
including portions of IP turbine blade roots and engine case. 
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Figure B19: Internal wing rib damage showing damage in 5 locations. Viewed 
from lower wing skin access panel 


| 
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N 
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Figure B20: Location of major damage to ribs No. 8 to 14 (highlighted) and the 
front spar within the wing structure 


Front Spar 


Image source: Airbus 


Fuselage butt-straps No. 3 and No. 4 


A butt-strap is a drop-forged fitting that overlaps and fastens the wing to the 
fuselage in conjunction with other structural components. Butt-straps No. 3 and 4 
are located at the lower fuselage joint between Frames 46 and 56. These straps 
sustained impact damage, included gouging over an area of about 76 cm’ from 
liberated engine debris between frames 51 and 52 (Figure B21, Figure B22, 
Figure B23). 


Figure B21: Butt-straps No. 3 and No. 4 with damage highlighted 
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Image source: Airbus 
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Figure B22: Left butt-straps and damage location between Frame 52 and 51 
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Figure B23: Schematic of the butt-straps damage between Frame 52 and 51 
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Minor damage 


Fuselage damage 


The left side of the fuselage (Figures B24 and B25), from passenger door 2 left to 
the horizontal stabiliser, had impact damage from engine and airframe debris. 
Although the debris did not penetrate through the fuselage skin, that damage was 
considered significant and required repair prior to further flight. 


Centre fuselage - section 15 damage 


* Three fuselage skin panels were damaged in section 15 (Figure B24 and 
Table B3) that damage included: 


* FR46-FR62, STGR6LH-STGR22LH, 39 items of impact damage 
(scratches, gouges and dents) and 6 windows damaged in that location. 


*  FR46-FR62, STGR22LH-STGR39LH, 19 items of impact damage 
(scratches, gouges and dents) and 1 window damaged in that location. 


*  FR62-FR74, STGR22LH-STGR39LH, 4 items of impact damage 
(scratches, gouges and dents) and 1 window damaged in that location. 
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Figure B24: Centre fuselage - section 15 highlighted in orange 


Image source: Airbus 


Table B3: Fuselage damage along section 15 


Type of Damage 


Between Frames 


Between Stringers 


Gouges 54-55 18-21 
Gouges 55-56 17-18 
Gouges 55-56 22 
Gouges 55-56 18-21 
Gouges 55-56 18-21 
Scratches 55-56 21 
Scratches 56-57 18-21 
Gouges on Window 56-57 18-21 
Gouges 56-57 15-16 
Gouges 56-57 21 
Gouges 57-58 18-21 
Gouges 58-59 18-21 
Scratches Window/Frame 67-68 18-21 
Gouge 50-51 25 
Gouge 50-51 25-26 
Gouge 50-51 24-25 
Gouge 54-55 24-25 
Scratch 54-55 23-24 
Gouge 54-55 26-27 
Gouge 55-56 25-26 
Gouge 55-56 25-26 
Gouge 56-57 24-25 
Gouge 59-60 22-23 
Gouge/Dent 47-48 28-29 
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Type of Damage Between Frames Between Stringers 
Gouge 52-53 30-31 
Gouge 54-55 33 
Gouge 52-53 32-33 
Gouge 53-54 27-28 
Gouge 55-56 27-28 
Gouge 59-60 27-28 
Gouge 61-62 35-38 
Gouge 63-64 29 

Gouge on Window 65-66 35-38 
Gouge 68 32-33 
Gouge 69 33-34 


Fuselage damage along fuselage section 19 
Three fuselage skin panels were damaged in section 19 (Figure B25), Damage at 
that location required repair prior to further flight, that damage included (Table B4): 


* FR74-FR89, STGR6LH-STGR22LH, 5 items of impact damage (scratches, 
gouges and dents) in that location. 


* FR74-FR81, STGR22LH-STGR39LH, 5 items of impact damage 
(scratches, gouges and dents) in that location. 


*  FR81-FR89, STGR22LH-STGR39LH, 3 items of impact damage 
(scratches, gouges and dents) in that location. 


Figure B25: rear fuselage - section 19 highlighted in orange 


Image source: Airbus 
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Table B4: Fuselage damage section 19 


Type of Damage Between stringers 
77-78 
79-80 


Gouge/Scratch 


Scratch 


Gouge 
Gouge 30-31 
Gouge 38-39 


Trimmable Horizontal Stabiliser 


The left side of the trimmable horizontal stabiliser leading edge (Figure B26) was 
damaged from engine and airframe debris at five locations along the leading edge 
(scratches, gouges and dents). Damage at that location required repair prior to 
flight. 


Figure B26: Trimmable Horizontal Stabiliser leading edge skin panels 
highlighted in orange 


Image source: Airbus 


Vertical stabiliser 


The left side of the vertical stabiliser (Figure B27) was damaged from engine and 
airframe debris at five locations along the leading edge (scratches). Damage at that 
location required repair prior to flight. 


— 202 - 


Figure B27: Vertical stabiliser spar box skin highlighted in orange 
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Image source: Airbus 


Wing leading edge structure 


The left wing leading edge substructure, droop nose flaps, composite skins and 
components in that area, between the number two engine and the fuselage (Figures 
B28-B30) were subject to significant impact forces. Although the damage incurred 
was significant, it was not considered to be major structural damage. 


Figure B28: Wing leading edge sub structure diagram 


5 Front Spar 


C CAE I Sel , Rib 9 
sain =, IESE iw, Rib 10 
RS V A NES 
(G/L RST ERS 
diii Lf A 7 Fee as a INTERCOSTALS & STRINGERS 
NOSE RIBS wá Li [AUS USO Sd ss " 
5 M TT SR SEN Sa 2 
nose ries ” HINGE RIBI Ka P EORR, o 
SLANTRIB e Ex (CRAS (> 1 
ndn agm RIB2 en Epp. fell 
INTERMEDIATE Ril * (s PEL 
[^] TERMEDIATE RIB MA Spars 
i 


DRIVE RIBS 


HINGE RIB4 


CRESCENT RIB 


CLOSING RIB 


Image source: Airbus 


— 203 - 


Figure B29: Engine debris impacted the wing droop nose slat, wing structure 
and components within the leading edge—viewed from the upper 
wing surface 


Figure B30: Damage to the drive motor located at leading edge Drive Rib 
No.4 
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Belly fairing and internal structure 


The belly fairing and centre wing box structure (Figure B31) of the aircraft 
sustained significant damage from engine fragments. A smaller-sized, high-energy 
disc fragment penetrated the belly region of frame 51 (Figure B32 to Figure B36). 


Figure B31: General location of the belly fairing panels on the A380 aircraft 
highlighted in orange 


Image source: Airbus 


Figure B32: A smaller, high energy fragment of the IP turbine cut a swath 
directly through the belly fairing of the aircraft—view looking to the 
right of the aircraft with the No. 3 engine in the background. 
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Figure B33: Structural arrangement of the fuselage between frames 50 and 54 
showing the damage points from engine debris that penetrated the 
belly fairing 
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Image source: Airbus 


Figure B34: Impact and penetration damage to the fuselage structure between 
airframe locations FR50 and FR54 from a high-energy fragment of 
the IP turbine disc 
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Figure B35: Stringer 2 LH impact damage 


Figure B36: Stringer 5 LH impact damage 


z2gf- 


Aircraft systems 


System effects - wiring damage 


The debris from the engine failure directly damaged a number of systems, which in 
turn affected a number of other systems. Although some systems sustained direct 
mechanical damage, most of the affected systems were damaged through debris 
impact to the respective wiring looms. Two main wiring looms were impacted by 
debris; one running through the leading edge of the left wing, and the other in the 
belly fairing. This resulted in damage to about 650 wires in total (Figure B37 to 
Figure B51). 


Figure B37: Representation of the smaller, high energy disc fragment's 
trajectory through the aircraft belly fairing (keel beam) which 
severed wiring harnesses 
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Image source: Airbus 
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Figure B38: Representation of the disc fragment trajectory through the 
aircraft left wing leading edge which severed numerous wiring 
harnesses 
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Image source: Airbus 


Figure B39: General location of the wiring harness damage within the leading 
edge of the left wing—red framed area expanded in Figure B40 
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Figure B40: Wiring harness damage at three main locations within the leading 
edge of the Rib 9 and Rib 10 area 
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Figure B41: Damage location (a) from Figure B40 showing complete severing 
of the route 1M, 1S, 2S and 2M wiring harnesses—the entry/exit 
hole through the front spar and upper wing skin from a high-energy 
disc fragment is also apparent 
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Figure B42: Damage location (b) from Figure B40 
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Figure B44: Main damage to the route 1P route harnesses (looms 3025VB, 
3027VB, 3031VB and 3033VB), between Rib 9 and Rib 10 of the left 
wing lead edge. All wires within the harness were completely 
severed. The debris entry/exit hole through the front spar is also 
evident 


Figure B45: Detailed locations of damage to the 1G route (electrical harness 
3029VB), primarily between Rib 9, 10 and 11 of the left wing; four of 
the 9 feeder and exciter cables have been severed—red framed 
area expanded in Figure B46 
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Figure B46: Close detail of damage to route 1G, 3029VB harness, between Rib 
10 and Rib 11 


Figure B47: Wiring harnesses within the belly region of the aircraft structure 
were damaged from the liberated engine debris. Shown is harness 
1525VB (route 1MK). All wires were severed 
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Figure B48: Wiring harnesses within the belly region of the aircraft structure 
were damaged from the liberated engine debris. Shown is harness 
1532VB (route 4M and 2MZ). All wires were severed 


Figure B49: Wiring harnesses within the belly region of the aircraft structure 
were damaged from the liberated engine debris. Shown is harness 
500HW1 (route 1PZ). All wires were severed 
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Figure B50: Location of the left wing fuel pump harness damage, routes 1M 
(fuel pump) and 2M (standby fuel pump) were both severed 


Figure B51: Damage to the 1M harness that supplied to the left wing forward 
fuel pump 


Depending on their use, several types of electrical wires were fitted within the 
A380: 


* type P (power supply distribution) 


* type S (sensitive signals) 
* type M (miscellaneous) 
* type G (electrical power services — feeders). 
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The following section outlines the aircraft systems that were affected either as a 
direct result of impact damage from engine debris, or from damage to electrical 

wiring that rendered them inoperative, either by design, or as a result of a loss of 
monitoring function. 


Table B5: Airframe systems affected by the wiring damage 


Air conditioning Fire Protection Flight Controls 
Electrical Power Fuel Hydraulic Power 
Ice and Rain Protection Landing Gear Lights 
Pneumatic Water/Waste Cabin Systems 
Engine Fuel and Control Ignition Engine Controls 
Exhaust Oil 


Table B6: Airframe wiring harnesses severed by the engine debris 


Wiring Route Harness Location, route detail 
1MK 1525VB Aircraft belly, between Frame 51 and Frame 52 
4M, 2MZ 1532VB Aircraft belly, between Frame 51 and Frame 52 
1PZ 500HW1 Aircraft belly, between Frame 51 and Frame 52 
1M 3001VB Left wing leading edge, between Rib 9 and Rib 10 
2M 3007VB Left wing leading edge, between Rib 9 and Rib 10 
1S 3013VB Left wing leading edge, between Rib 9 and Rib 10 
2S 3019VB Left wing leading edge, between Rib 9 and Rib 10 
3025VB 
3031VB 
1P 3027VB Left wing leading edge, between Rib 9 and Rib 10 
3031VB 
3035VB 
1M 3033VB Left wing, lower skin, feed tank 2 fuel pump 
2M 3031VB Left wing, lower skin, feed tank 2, standby fuel pump 
1G/1E een Left wing leading edge, between Rib 9 and Rib 10 
3G/3E 3043VB Left wing leading edge, between Rib 11 and Rib 12 


Hydraulic systems 


The A380 had two independent hydraulic systems identified as the Green system 
and the Yellow system (Figure B52). The Green system was powered by hydraulic 
pumps driven by engines No. 1 and 2 and the Yellow system by hydraulic pumps 
driven by engines No. 3 and 4. Two hydraulic pumps were fitted to each engine. On 
the ground without engines running, hydraulic power was provided by electric 
motor-driven pumps. The Green, Yellow and ground hydraulic systems were 
independent and hydraulic power could not be transferred from one system to the 
other. 
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Figure B52: Hydraulic power generation 
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Image source: Airbus 


The hydraulic system provided power to the flight controls, the landing gear 
systems and the cargo doors. In the event of a hydraulic system failure, the 
following redundant systems were available to provide backup hydraulic power 
(Figure B53): 


e 9electro-hydrostatic actuators (EHA) and electrical backup hydraulic 
actuators (EBHA) for use by the flight control systems 


e alocalelectro-hydraulic generation system (LEHGS), which can be used 
by the landing gear systems. 
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Figure B53: Green, Yellow and electrical hydraulic back up architecture 


Image source: Airbus 


Engine debris damage to the aircraft's wiring resulted in the loss of monitoring 
capability of the Green hydraulic system fluid level, system pressure and reservoir 
air pressure. The crew reported that they observed the Green hydraulic system fluid 
level indicator decreasing. At about the same time, the Electronic Centralised 
Aircraft Monitoring (ECAM) system displayed messages that required the crew to 
shut down the Green hydraulic system by disconnecting the No. 1 and 2 
engine-driven hydraulic pumps. However, the wiring damage prevented the 

No. 2 engine hydraulic pumps from being disconnected and, as a result of the 

No. 2 engine continuing to windmill in flight, a residual hydraulic pressure of about 
1,000 psi was maintained. Normal hydraulic system pressure was 5,000 psi. 
Subsequent examination of the Green hydraulic system found that there was no 
fluid loss. 


Damage to the wiring also resulted in the loss of monitoring capability of the 
Yellow hydraulic system engine-driven pumps on the No. 4 engine and the crew 
disconnected both pumps as per the ECAM procedure. The Yellow hydraulic 
system was powered by the No. 3 engine for the remainder of the flight. The 
Yellow hydraulic system maintained 5,000 psi for the remainder of the flight and 
subsequent examination found no fluid loss. 
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Electrical system 


General 


The A380 electrical system included alternating current (AC) and direct current 
(DC) power sources. In flight the AC system was powered by four engine-driven 
generators and one auxiliary power unit (APU)-driven generator if required. In an 
emergency situation a ram air turbine! was capable of supplying essential 
electrical loads. 


The aircraft's DC system was powered by the AC network via 5 transformer 
rectifier units. If AC power was not available, limited DC power could be provided 
from on board batteries. 


The APU had two AC generators labelled ‘A’ and ‘B’. In ground mode, APU 
generators A and B were available. In flight, only APU generator A was available. 
Therefore, on the ground the aircraft could draw AC power from either or both 
APU-driven AC generator or from external power. 


During normal operations, AC power was distributed to applicable systems via four 
independent AC busbars (Figure B54).'"* In emergency situations, the distribution 
of AC power was via one essential and one emergency busbar. 


DC power was normally distributed to applicable systems via two independent DC 
busbars. In emergency situations, there was one DC essential busbar. 


Figure B54: A380 electrical network architecture 
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Image source: Airbus 


113 An air-driven turbine that is coupled to an AC generator and can be deployed into the oncoming 
air flow to provide emergency electrical power. 


"4 A busbar is used to distribute electrical power to multiple outlets. 
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Effect of the damage to the aircraft on power supply 


The AC power generation feed lines from generators No. 1 and No. 2 were severed 
by engine debris, removing the power supply to AC busbar 1 (AC BUS 1) and 

AC BUS 2 (Figure B55). The system automatically reconfigured AC BUS 1 to 
obtain its supply from AC BUS 4. When the crew started the APU, AC BUS 1 was 
reconfigured to be supplied with AC power from APU generator A. 


In the event of a loss of power to AC BUS 2, the system would normally 
reconfigure to receive supply from AC BUS 3. Due to residual current being sensed 
from the No. 2 engine generator, the Generator and Ground Power Control Unit 
(GGPCU) considered the No. 2 generator was still online and isolated AC BUS 2. 
This resulted in AC BUS 2 being unable to be reconfigured and it was not powered. 


The loss of AC BUS 2 resulted in the loss of Air Data Inertial Reference Unit 
(ADIRU) 3. One of ADIRU 3's functions is to provide a speed signal to the 
electrical power system. This speed signal is used by the electrical power system to 
determine which APU generators are available to supply power. When power was 
lost to ADIRU 3, its speed signal output was frozen in the ‘speed higher than 

50 knots' configuration (that is, in the air mode). 


As the electrical system was locked in the air mode, only APU generator A was 
available to supply power following the shutdown of engines No. 3 and 4. This 
resulted in only AC BUS 1 and the essential bus bar continuing to be supplied with 
AC power. This limited power source resulted in some flight deck display screens 
being lost and only the VHF 1 radio being available for use by the flight crew. 


Figure B55: Engine feeder routing and the main damage location 
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Image source: Airbus 


Flight controls 


Immediately after the uncontained failure, the following flight controls were 
inoperative: 


e all slats 
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* all droop nose flaps 
e the left mid aileron 


* Spoilers No. 4 and 6 on the left wing. 


As a result of the inoperative slats, the flight law changed from normal law to 
alternate law." ^ Approximately 10 minutes later, coincident with the 
depressurisation of the Green hydraulic system, the following additional flight 
controls were unavailable: 


e the left and right outboard ailerons 

* Spoilers No. 2 and 8 on the left wing 
* Spoilers No. 2 and 8 on the right wing 
e Spoiler No. 4 on the right wing. 


All trailing edge flaps, the elevators and the trimmable horizontal stabiliser and 
rudder control surfaces remained available for the duration of the flight. 


The availability of the primary and secondary flight control surfaces following the 
uncontained engine failure and subsequent ECAM actions by the crew are depicted 
in Figure B56. 


Figure B56: Flight control surface status following the engine failure and 
ECAM actions by the crew (unavailable control surfaces 
highlighted in red) 
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Trailing edge flaps 


Flap extension and retraction was powered by two hydraulic motors. One motor 
was supplied with hydraulic pressure from the Green hydraulic system and the other 
from the Yellow hydraulic system. The flaps were operated through gearboxes, 
torque shafts and six rotary actuators (two for each flap). 


!5 [n normal law, all protections are available. In alternate law, some protections are reduced or lost. 
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No wiring damage affected the flap system; however the flaps operated at half 
normal speed due to the loss of the Green hydraulic system. 


Leading edge lift augmentation devices 


The slat and droop nose extension and retraction mechanism was normally powered 
by one hydraulic motor supplied by the Green hydraulic system, and one electric 
motor. During normal operation both drives were active. The slats and droop noses 
were operated through gearboxes, torque shafts and 16 rotary actuators—two for 
each slat and two for each droop nose (Figure B57). 


Wiring looms to the asymmetry position pickoff units and the wingtip power-off 
brakes were severed by engine debris. This damage affected the control and 
monitoring of the left wing slats. In addition the engine debris severed the left wing 
slat transmission. As a result the left wingtip power-off brakes automatically 
secured the slats and droop nose in the retracted position. "^ 


Figure B57: Leading edge lift augmentation mechanism 
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Primary flight controls actuation systems 


The primary flight control actuation systems in the A380 were powered by four 
independent systems; two hydraulic systems and two electrical systems 

(Figure B58). The aircraft was able to fly with only one hydraulic or one electrical 
system available. The control surfaces were actuated by the following mechanisms: 


!!6 The asymmetry position pickoff units determine any asymmetry between the left and right wing 
leading edge lift augmentation devices. The wingtip power-off brakes automatically secure the left 
and right wing leading edge lift augmentation devices when commanded, or if power is lost to the 
brakes. 
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* Conventional servocontrols "^: 


— four at the elevators (one inner and one outer per side) 
— two at the pitch trim 
— eight at the ailerons (two outer, one mid, one inner per wing) 
— oneat spoilers 1, 2, 3, 4, 7, and 8. 
e  Electro-hydrostatic actuators (EHA): 
— four at the elevators (one inner and one outer per side) 
— one at the pitch trim 
— four at the ailerons (one mid and one inner per wing). 
* Electrical backup hydraulic actuators (EBHA) 
— four at the rudders (two per surface) 


— spoilers 5 and 6. 


EHAs contained their own electro-hydraulic generation system that received 
commands from the fight control computers. EBHAs operated like a conventional 
servo-control, however, a specific mode called backup enabled them to operate like 
EHAs. 


Figure B58: Primary flight controls actuation system (a red cross indicates 
the loss of actuator operation after the engine failure) 


Image source: Airbus 


117 The servocontrols in the A380 were powered by the aircraft's Green or Yellow hydraulic systems 
and controlled electrically by the aircraft's flight control system. 
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Ailerons 


Each wing had an outboard, mid and inboard aileron. Each aileron had two 
independent actuators per control surface for redundancy (see the previous 
discussion at section B.3.3.3 titled Primary flight controls actuation systems). 


The loss of the Green hydraulic system and impact damage to the aircraft's wiring 
combined to affect the availability of the left aileron system for the remainder of the 
flight. As a result, the outboard aileron Yellow and Green servocontrols, mid 
aileron EHA and Yellow servocontrol and the inboard aileron Green servocontrol 
were unavailable. As a result, the left outer and mid ailerons were disabled. 

(Figure B58). 


On the right wing, the inboard Green and both outboard Yellow and Green 
servocontrols were unavailable. As a result, the right outboard aileron was disabled. 
The aileron droop function of the remaining operative surfaces was not affected. "° 


Spoilers 


Each wing had eight spoilers, numbered 1 to 8 outwards from the aircraft centreline 
(Figure B58). The loss of the Green hydraulic system and wiring damage resulted in 
the unavailability of spoilers 2, 4, 6 and 8 on the left wing and of spoilers 2, 4 and 

8 on the right wing. 


Elevators 


Each horizontal stabiliser had an inboard and outboard elevator, each with two 
independent actuators for redundancy (Figure B58). Although the Green hydraulic 
system servocontrols were lost on the left inboard and outboard elevators, all 
elevators remained operable due to the availability of redundant actuators. 


Trimmable horizontal stabiliser 


Pitch trim operation was unaffected following the uncontained engine failure. The 
trimmable horizontal stabiliser had three independent actuators, numbered 1 to 3 
from left to right, for redundancy (Figure B58). The loss of the Green hydraulic 
pressure rendered the No. 1 actuator inoperative, while actuators 2 and 3 continued 
normal operation. 


Rudder 


The vertical stabiliser had an upper and lower rudder, each with two EBHA 
actuators. These actuators were numbered lower/upper 1 and 2. Despite the loss of 
Green hydraulic system pressure, system redundancy meant that there was no loss 
of any rudder actuators. 


Landing gear 


The A380 landing gear comprised of the left and right wing landing gear, the left 
and right body landing gear and the nose gear (Figure B59). 


18 The droop function augments the high lift function of the slats and flaps during approach. When 
the flaps are extended all ailerons droop downwards to increase the camber of the wing. 
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Figure B59: A380 landing gear configuration 
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Landing gear extension 


The Green hydraulic system provided the hydraulic power supply for the nose and 
wing landing gear and their respective gear doors. The Yellow hydraulic system 
provided the hydraulic power supply for the body landing gear and their respective 
gear doors. 


In the event that Yellow or Green hydraulic power was not available to extend the 
landing gear, the crew were required to perform a gravity extension procedure. The 
depressurisation of the Green hydraulic system necessitated the extension of the 
landing gear by the flight crew using this procedure. 


Braking 


All of the A380's wing landing gear wheels were equipped with hydraulically 
actuated brakes. Similarly, all of the wheels on the body landing gear (except for 
wheels 17 to 20) were equipped with hydraulically actuated brakes. Wheels 17 to 
20 are used for body gear steering (Figure B59). 


The A380's braking control system included reconfiguration logic, which was 
based on a philosophy of maintaining performance requirements despite associated 
equipment failures that result in changes to the braking mode. A number of braking 
modes were available in the A380, including NORMAL, ALTERNATE, 
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EMERGENCY and ULTIMATE." The logic took account of the availability of 
the respective operating modes. 


Engine debris damage to the wiring looms affected the aircraft’s braking system as 
follows: 


e the body landing gear brakes remained in NORMAL mode 


e the right wing landing gear brakes reconfigured to ALTERNATE mode but 
without anti-skid protection 


e the left wing landing gear brakes lost pressure. As a result of this pressure 
loss there was no braking capability on the left wing landing gear. ^ 


During the landing, the initially heavy braking by the crew was reduced as the 
landing roll progressed. Asymmetric braking during the landing resulted from the 
unavailability of the left wing landing gear brakes and caused the left body landing 
gear brakes to absorb significant energy. The maximum brake temperatures 
recorded on the left body landing gear, wheel 10 brake, exceeded 900 ?C. 


The left main body gear wheel fuse plugs '^' melted as brake temperature increased 
after the aircraft had come to a complete stop. As a result, the left body gear wheels 
9, 10, 13 and 14 deflated. 


Steering 


The depressurisation of the Green hydraulic system set the nosewheel steering to 
alternate mode. In this mode, the nosewheel steering used the local electro- 
hydraulic generator system and there was no operational impact. 


Bleed air 

The bleed air system supplied high-pressure air for the following: 
e air conditioning and cabin pressurisation 
* wing and engine anti-ice 
* engine starting 


e M hydraulic reservoir pressurisation. 


!Ü? Normal braking provided anti-skid protection and the crew were able to select the ‘auto brake’ 
function. There were no restrictions on the use of the system in normal mode. Alternate braking 
was similar to normal braking; however, hydraulic power was supplied by the local electro- 
hydraulic generation system. Emergency braking did not provide anti-skid protection and the auto 
brake function was not available in this mode. Braking pressure was reduced in the emergency 
mode. In the event that pedal braking was unavailable, ultimate braking to the BLG was available 
when the crew set the park brake handle to the on position. In the ultimate mode braking was 
automatically applied to the WLG when the ground spoilers were deployed. 


120 The display to the crew of the associated ECAM alert was inhibited by flight phase logic. 


121 Buse plugs were designed to deflate wheels that were exposed to temperature beyond a specified 


limit. 
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The bleed air system received compressed air from the engines and distributed this 
air at the correct pressure, temperature and flow rate. This air could be sourced from 
the engines, the APU or from ground air sources. 


An Overheat Detection System (ODS) protected and monitored the pneumatic 
system and was in continuous operation during flight. If a pneumatic system duct 
was damaged, the ODS would identify the location and isolate that area to prevent 
potential damage to the surrounding structure and components from the leaking hot 
air. The overheat detection loops were installed adjacent to the pneumatic hot air 
ducts in the fuselage, the belly, the forward cargo hold, the wing and the engine 
pylons. 


The bleed air ducts in the left wing leading edge and centre fuselage were damaged 
from impact by the engine debris, affecting the distribution of bleed air from 
engines No. 1 and 2 and the APU (Figure 60). The damage was detected by the 
ODS and the affected pneumatic systems were isolated in less than 10 seconds. 
There was no operational impact. 


Figure 60: Bleed air duct damage 
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Fuel system 


The A380 carried fuel in 11 integral fuel tanks, including an outer, mid and inner 
tank in each wing. Two engine feed tanks per wing supplied fuel directly to their 
respective engines (for example, Feed Tank 2 supplied fuel exclusively to the 
No. 2 engine). A trim tank was also located in the horizontal stabilizer 

(Figure B61). 


Figure B61: A380 fuel tanks 


Image source: Airbus 


The aircraft's fuel quantity management system (FQMS) automatically controlled 
and monitored the transfer of fuel within the fuel system. Manual control is also 
available to the flight crew. The FQMS operated to: 


* supply fuel to the engines and APU 
* maintain the aircraft’s centre of gravity within limits 


* reduce the structural loads on the aircraft through the load alleviation 
function 


* control the refuelling and defueling of the aircraft 


* enable fuel jettison if necessary. 


In this accident, the operation of the fuel system was degraded as a result of the 
damaged wiring looms and the loss of the AC BUS 2. In addition, the Left Inner 
Tank (LIT) and Feed Tank 2 were punctured by engine debris, resulting in fuel 
leaking from that damage. The recorded data showed that Feed Tank 2 leaked about 
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5,000 kg of fuel in flight and a further 2,600 kg of fuel once on the ground. The fuel 
quantity records for the LIT did not show a marked reduction of fuel quantity 
following the uncontained engine failure, indicating that the hole in that tank was 
most likely located above the fuel level. However, evidence of the loss of 
anti-corrosion protection at the left wing front spar was consistent with some fuel 
leakage. 


Damage to the fuel system resulted in: 


e the FQMS being disabled, with the consequential loss of the fuel jettison 
function. 


* fuel in the Left and Right Inner Tanks being unusable. The Right Inner 
Tank contained fuel and was physically capable of its transfer to a feed 
tank. However, system logic inhibited the manual transfer of fuel due to 
wiring damage to the LIT fuel pumps. The transfer inhibition was designed 
to prevent a fuel imbalance between wing tank pairs. 


e the Left and Right Mid Tanks being unusable; however, these tanks were 
empty for the entire flight. 


* the inability to transfer fuel from the Left Outer Tank using a manual 
Emergency Outer Tank Transfer function, ^ fuel was transferred from the 
Right Outer Tank while fuel remained trapped in the Left Outer Tank. This 
function was controlled without any logic to prevent the asymmetric 
operation of outer tank transfer valves. 


* the restriction of the trim tank fuel transfer capability to the manual transfer 
of fuel to the inner feed tanks after the provision of a low fuel warning to 
the crew. Had the flight crew initiated this procedure, approximately half of 
the fuel in the trim tank would have been lost due to its transfer to the 
damaged Feed Tank 2. 


Low pressure shut off valve 


Low pressure shut-off valves (LPSOV) were installed in the pylon of each engine. 
Their main function was to isolate the engine from the hydraulic fluid supply (fuel 
and oil) in case of an engine fire. The LPSOVs were actuated by twin motors, one 
motor was powered by the normal electric route along the front spar, and the second 
motor was powered by a diverted route along the keel, entering the wing via the 
shroud box Figure B62). When commanded, a LPSOV isolates its engine from the 
fuel supply. Control of each LPSOV was through the associated: 


e ENG MASTER switch, which opened and closed the valve 
* engine FIRE PUSH switch, which closed the valve. 


Severing of signal wires in the left wing leading edge and belly fairing of the 
aircraft contributed to the loss of control of the No. 1 engine LPSOV. This resulted 
in the inability to shut down that engine after the aircraft had landed at Changi 
Airport, Singapore. Although the leading edge wing damage was from major disc 
fragments, the damage to the belly fairing and its internal wiring was established to 
be from a smaller fragment. 


122 The Emergency Outer Tank Transfer function allowed fuel to be transferred from an Outer Tank 
to the respective outboard feed tank. Left Outer Tank transferred to Feed Tank 1 and the Right 
Outer Tank transferred to the Feed Tank 4. 
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Figure B62: Schematic showing the trajectory of the disc fragments as they 
exited the No. 2 engine case and impacted the left wing and 
airframe. A smaller, high energy disc fragment penetrated the belly 
fairing and severed the LPSOV control wires for the No. 1 and No. 2 
engines 


Q Fire Valve 


Closure motor 1 


Closure motor 2 


Image source: Airbus 


Fire protection 


The No. 2 engine fire push button was activated shortly after the crew were alerted 
to the uncontained engine failure. After the aircraft had landed back at Changi 
Airport, the crew commenced shutting down the remaining engines. Despite 
switching the final engine master switch to OFF, the crew were alerted by Airport 
Emergency Services (AES) that the No. 1 engine remained in idle operation. In 
response, the crew pressed the engine fire push-button in an attempt to shut down 
the still-running engine. That process was ineffective, with the No. 1 engine 
eventually being ‘drowned’ using retardant by AES. 


Each engine was fitted with two fire extinguishing bottles installed within the 
pylon, and each bottle was controlled by two individual discharge cartridges 
(squibs). The design of the aircraft incorporated redundant wiring routes; one along 
the wing leading edge and the other routed along the centre of the fuselage and then 
along the wing trailing edge. Airbus reported that during their inspection of the fire 
extinguishing system, neither of the fire bottles for the No. 1 engine had discharged. 
Only one bottle had discharged for the No. 2 engine. 


As detailed in Table B7, the physical state of the fire bottles and the extent of 
wiring damage to the fire extinguishing system was established. One of the bottles 
(Bottle-1) to the No. 2 engine had discharged while the second bottle (Bottle-2) 
remained full and had not discharged when commanded. Inspection of the bottles 
for the No. 1 engine revealed that both bottles were full and had not discharged 
when commanded. 


Conductivity testing of the wiring looms for the fire extinguishing system revealed 
significant damage had occurred as a result of the disc burst. Many of the signal 
wires to the system had been severed. The signal wire to Bottle-1 Squib-1 from the 
No. 1 engine was found to be intact. That bottle should have discharged its contents 
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as commanded when the crew attempted to shut down that engine. The 
investigation was unable to determine why that fire bottle did not function. 


Table B7: Fire extinguishing system - bottle discharge status and the 
electrical continuity of the signal/control wires (whether they were 
intact or had been severed) 


Squib-1 Severed F 
Engine No. 1 Bottle-1 a. a 
Squib-2 Intact ischarge 
Squib-1 Severed ; 
Engine No. 1 Bottle-2 A pol 
Squib-2 Severed Ischarge 
Squib-1 Severed 
Engine No. 2 Bottle-1 Discharged 
Squib-2 Intact 
Squib-1 Severed f 
Engine No. 2 Bottle-2 ous ie 
Squib-2 Severed Ischarge 
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APPENDIX C: FLIGHT RECORDERS AND DATA 


SUMMARY 


The aircraft was fitted with crash-protected flight recording systems and 
non-mandatory data recording systems. The engine monitoring and control units 
also had a recording capability. Recorded data from all of these sources was utilised 
by the Australian Transport Safety Bureau (ATSB) to determine a sequence of 
events and understand the engine failure mechanisms. 


The recorded data showed that the aircraft departed Changi Airport, Singapore, 
runway 20C, at 01:56:47 UTC on 4 November 2010. Approximately 3% minutes 
later, during climb through 5,000 ft, some No. 2 engine air and oil parameter values 
began to gradually diverge from the values shown by the other engines. At 
02:00:58, the No. 2 engine rotor speeds, temperatures and vibrations started to 
fluctuate, followed by rapid increases in turbine cooling air temperatures. No. 2 
engine temperature and speed exceedances resulted in a Master Warning activation 
at 02:01:09. Two seconds later at 7,250 ft, the intermediate-pressure (IP) turbine 
disc burst and was liberated from the aircraft. Fault indications from many aircraft 
systems were recorded subsequently, including electrical power, flight controls, 
hydraulics, brakes and bleed air. 


Recorded data showed that after the failure, the aircraft levelled at 7,400 ft. Over a 
70-minute period, it completed nine orbits over the ocean before commencing a 
descent into Singapore. During the descent, the flaps extended at half the normal 
rate, and two Low Energy warnings were recorded during the final approach. A stall 
warning sounded just before touchdown on runway 20C at 03:46:47. 


The aircraft remained on runway 20C with the right engines (No. 3 and No. 4) 
being shut down by 03:49:08, shortly after the aircraft came to a stop. The 

No. 1 engine was unable to be shut down immediately. All passengers had 
disembarked by 05:40:05. The flight recordings ceased about 20 minutes later, with 
the No. 1 engine still running. Fuel loss on the ground at Singapore was recorded as 
2,600 kg, as a result of a fuel leak from the aircraft's No. 2 feed tank. 


During the investigation, historical recorded data obtained from the operator was 
utilised. Maximum engine pressures experienced during previous service 
(especially on takeoff) were used to determine the limitations on the 
return-to-service of the operator's other A380 aircraft. 
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FACTUAL INFORMATION 


Recorded flight data 


The aircraft was fitted with both crash-protected (mandatory) and supplementary 
(non-mandatory) data recording systems. The aircraft system, engine monitoring 
and control units also had a recording capability. Recorded data from all of these 
sources was utilised during the investigation. 


Crash-protected flight recorders 


As required by Australian legislation and international certification standards, the 
aircraft was fitted with two crash-protected flight recorders; a flight data recorder 
(FDR) and a cockpit voice recorder (CVR). 


Flight data recorder 


The FDR was an L3 Communications Model FA2100 solid state flight data 
recorder (Figure C1). The FDR was required to record as a minimum, the previous 
25 hours of flight data. The FDR was removed from the aircraft under the 
supervision of the Air Accident Investigation Bureau (AAIB) of Singapore and 
transported to the aircraft operator's Sydney base. The ATSB supervised the 
download of the recorded data from the FDR on 5 November 2010. 


Figure C1: Flight Data Recorder 


The FDR was undamaged and contained 77 hours 16 minutes of recorded aircraft 
operation. The data was of excellent quality and included the accident flight and 
five previous flights. The FDR recorded over 2,000 aircraft and flight parameters 
(Figure C2). 
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Figure C2: Occurrence flight summary using selected FDR parameters 
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Cockpit voice recorder 


The CVR was an L3 Communications Model FA2100 solid state cockpit voice 
recorder (Figure C3). The CVR was manufactured to record, as a minimum, the 
previous 2 hours of flight crew conversation and the cockpit aural environment. The 
CVR was removed from the aircraft and returned directly to the ATSB's technical 
facilities in Canberra for download and analysis. 
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Figure C3: Cockpit Voice Recorder 


The CVR was undamaged and contained over 2 hours of excellent quality cockpit 
audio, comprising separate channels for the captain, first officer, observer 
position"? and cockpit area microphone. Due to the continued operation of the 

No. 1 engine after the aircraft landed, electrical power remained available and the 
CVR continued operating, overwriting the audio recorded at the time of the 
uncontained engine failure. The CVR system is designed so that the recording unit 
stops when power is removed, either 5 minutes after the last engine is shut down or 
by manually operating the CVR circuit breaker. 


The recorded CVR audio commenced during the aircraft's descent in the landing 
approach and included touchdown and the subsequent ground operations. As a 
consequence, the audio associated with the engine failure and initial flight crew 
response was overwritten. The CVR contained pertinent information regarding the 
approach, landing and roll-out. Of particular value to the ATSB were the 
communications between the flight crew, ATC and emergency services following 
the aircraft coming to a stop, communication by the flight crew with the cabin crew 
and passengers and the coordination with ground services during passenger 
disembarkation, as well as the attempts to shut down the No. 1 engine. A copy of 
the CVR audio was made and retained by the ATSB before the recorder was 
returned to the operator. 


Aircraft operations and flight path 


Information was obtained from the FDR data regarding the flight and engine 
operations leading up to the engine failure. The recorded data also provided 
information on aircraft and system performance leading up to, and following, the 
engine failure. 


Following the engine failure, the aircraft levelled off at 7,400 ft and continued on 
track. The aircraft then made a left turn and flew over Bintan Island, Indonesia. 
Nine left orbits were then conducted over the ocean north of Bintan Island 
(Figure C4). Approximately 90 minutes after the engine failure, the aircraft 
commenced an approach and descent into Changi Airport. The CVR audio 


13 The public address (PA) audio was recorded on the channel of the crew that initiated the PA call. 
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commenced during the descent after the flaps and before the landing gear were 
extended. 


Figure C4: Aircraft flight path 


* Google 


Image source: Google Earth 


Non-mandatory data recording systems 


The operator had incorporated a number of supplementary data recording systems 
in its fleet of A380 aircraft. Those recording systems provided additional engine 
data (above that available from the FDR) that facilitated an early analysis of the 
specific engine failure mechanism. 


The operator used a number of other devices to store information that originated 
from the Aircraft Condition Monitoring System (ACMS) and the Centralised 
Maintenance System (CMS). That information differed from that captured by the 
mandatory, crash-protected FDR, because the ACMS programming was customised 
to provide enhanced flight and systems monitoring information. 


Wireless digital ACMS recorder 


The wireless digital ACMS recorder (WDAR) was a Teledyne P/N 2243800-81 unit 
(Figure C5) that stored a continuous record of over 1,000 different aircraft and 
engine system parameters. These parameters were stored in a customised format 
that was defined by the operator in conjunction with the aircraft and engine 
manufacturers. 


The WDAR contained additional aircraft system and engine parameters that were 
recorded at a greater resolution and sampling rate than the FDR. 


The WDAR's normal mode of operation was to store the ACMS information on an 
internal memory device, and upon aircraft arrival in an Australian port (or when 
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remotely triggered) to transmit recorded data to the operator using available cellular 
telephone networks. 


Figure C5: Wireless DAR unit 


Aircraft Network Server Units 


The Airbus A380 uses computer network architecture to monitor and control the 
aircraft's systems. The aircraft was fitted with main and backup aircraft network 
server units (ANSU-OPS1 and ANSU-OPS2), which contained duplicate recorded 
information sets from the ACMS and CMS. 


Duplicate Flight Data/Digital ACMS Recording 


During normal aircraft operations, the recorded information stored in the two 
ANSU-OPS units was fully redundant (that is, identical). 


Each ANSU provided a virtual quick access recorder (VQAR) functionality, in 
which a complete copy of the FDR information was stored. In a similar way, a copy 
of the DAR information was stored on each ANSU, as a virtual digital ACMS 
recorder (VDAR). The VDAR normally stored the same information as the separate 
WDAR unit (Figure C6). 
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Figure C6: Schematic of the data acquisition and recording system 
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Smartaircraft condition monitoring system recorder 


The Smartaircraft condition monitoring system recorder (SACMSR) provided a 
high capacity (defined by the number of parameters recorded and their sampling 
rate), continuous recording of up to 256 parameters around pre-defined trigger 
events. The SACMSR parameter information for the engine failure provided high- 
resolution (8 Hz) engine parameters for 180 seconds leading up to the uncontained 
engine failure, and a further 180 seconds following the occurrence. 


Aircraft system reports 
Aircraft system reports (REP) were also recorded in ANSU-OPS1 and 2. 


The REP folder contained data that may originate from an aircraft system or be 
calculated according to pre-defined logic. Up to 1,000 different reports may be 

defined, and can be transmitted from the aircraft via the aircraft communication 
addressing and reporting system (ACARS). 


An example of information provided by a REP was a snapshot of brake 
temperatures for all wheels following the touchdown (Figure C7). 
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Figure C7: REP 208 from ANSU-OPS1 


ACID ACTYP ENG | REP CODE FMT CNT DATE UTC FP 


208 2081 82 00308 | 04.NOV.10 03:49:05 12 


HOl  .VH-OQA A380-800 RR 


FROM TO  FLT Sw AI-DB DATABASE 


HO2 è =  ---------- 50385 50385 AwC110909A 


H03 REASON: Snapshot of brake temperatures for phase 12 
BRAKE TEMPERATURE FOR WHEEL 1 to 16 


BRTEMP.1 BRTEMP. 2 BRTEMP. 3 BRTEMP. 4 
31 32 350 530 


BRTEMP. 5 BRTEMP. 6 BRTEMP. 7 BRTEMP. 8 
40 37 534 523 


BRTEMP. 9 BRTEMP.10 BRTEMP.11 BRTEMP.12 
831 1000 469 421 


BRTEMP.13 BRTEMP.14 BRTEMP.15 BRTEMP.16 
858 831 547 448 


TAT : 28.9 
Image source: Airbus 


Centralised Maintenance System 


The ANSU-OPS also stored information from the CMS including the post flight 
report, fault message and ECAM warning histories. This information provided the 
ATSB with a timeline of fault messages generated from the engine failure and 
subsequently displayed to the flight crew (Figure C8). 


Figure C8: ECAM warning data around the time of engine failure from the 
CMS recorded on ANSU-OPS 


= = "m c c 
3160G184 Amber crosses nac temp eng3 ^ ;29 DISPLAYED UNKNOWN UNKNOWN 
3160G185 Amber crosses nac temp eng4 DISPLAYED UNKNOWN UNKNOWN 
3160G162 Red line oil pressure eng1 DISPLAYED UNKNOWN UNKNOWN 
3160G164 Red line oil pressure eng3 E. DISPLAYED UNKNOWN UNKNOWN 
3160G165 Red line oil pressure eng4 04/11/2010 04/11/2010 01 DISPLAYED | UNKNOWN UNKNOWN 


7722W120 ENG 2 TURBINE OVHT 04/11/2010 04/11/2010 02: DISPLAYED WARNING INDEPENDENT 
7100W420 ENG 2 STALL 04/11/2010 02:01:09 04/11/2010 02:01:09 CALCULATED CAUTION INDEPENDENT 
7100W420 ENG 2 STALL 04/11/2010 02:01:09 04/11/2010 02:01:17 DISPLAYED CAUTION INDEPENDENT 


7720W120 ENG 2 EGT OVER LIMIT 109 04/11/2010 02:01:09 CALCULATED CAUTION INDEPENDENT 
7720W120 ENG 2 EGT OVER LIMIT :09 04/11/2010 02:01:13 DISPLAYED CAUTION INDEPENDENT 
7932W220 ENG 2 OIL TEMP HI 04/11/2010 02:01:09 04/11/2010 02:01:17 DISPLAYED CAUTION INDEPENDENT 
7932W220 ENG 2 OIL TEMP HI 04/11/2010 02:01:09 04/11/2010 02:01:09 CALCULATED CAUTION INDEPENDENT 
2230W040 AUTO FLT A/THR OFF 04/11/2010 02:01:13 04/11/2010 02:01:13 CALCULATED CAUTION INDEPENDENT 
2230W040 AUTO FLT A/THR OFF 04/11/2010 02:01:13 04/11/2010 02:01:30 DISPLAYED CAUTION INDEPENDENT 
2780N030 SLATS 04/11/2010 02:01:13 04/11/2010 02:01:13 CALCULATED OTHERWISE  INOP 
2780N030 SLATS 04/11/2010 02:01:13 04/11/2010 02:01:30 DISPLAYED OTHERWISE  INOP 
2780W030 F/CTL SLAT SYS 1*2 FAULT 04/11/2010 02:01:13 04/11/2010 02:01:13 CALCULATED CAUTION INDEPENDENT 
2780W030 FICTL SLAT SYS 1+2 FAULT 04/11/2010 02:01:13 04/11/2010 02:01:30 DISPLAYED CAUTION INDEPENDENT 
2910N270 Y ENG 4 PMP A+B 04/11/2010 02:01:13 04/11/2010 02:01:13 CALCULATED OTHERWISE  INOP 
2910N270 Y ENG 4 PMP A+B 04/11/2010 02:01:13 04/11/2010 02:01:30 DISPLAYED _ OTHERWISE  INOP. 


Image source: Airbus 
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Recovery of the non-mandatory recorded information 


The WDAR was downloaded by the operator under ATSB supervision using 
another of the operator’s A380 aircraft. The occurrence flight recording was 
incomplete, ending about 50 seconds prior to the engine failure. Examination of the 
WDAR revealed that the recorder operation ceased as a result of disruption to the 
electrical system during the occurrence, and that some data was lost due to internal 


buffering. 


On 10 November 2010, ANSU-OPS2 was downloaded in Singapore with assistance 
from the aircraft and unit manufacturers. When the recovered VDAR data was 
examined, it was found that the recording had been interrupted and ceased prior to 
the event. However, a further 14 seconds of VDAR information was available 
before the recording terminated. The additional information obtained from the 
VDAR was able to clarify the understanding of the engine failure sequence. 
SACMSR, REP and CMS files recorded on ANSU-OPS 2 were also incomplete due 


to the power disruption. 


The ANSU-OPS1 was downloaded on 12 November 2010. Upon examination, it 
was evident that the complete history of the occurrence flight, including the engine 
failure had been retained by the VDAR, SACMSR and REP folders, with no 
premature recording termination and data loss. The CMS history data was also 
complete. The data downloaded from ANSU-OPS1 was provided to all parties to 


the investigation. 


Engine recorded data 


The electronic engine controller (EEC) and engine monitor unit (EMU) fitted to 
each engine contained non-volatile recordings that were able to be accessed by the 
engine manufacturer .The EEC data contained a history of fault message 
information from the flight and a snapshot of a relevant data-set at the time each 
fault was registered (once-per-second data recording) (Figure C9). Upon download 
and examination, it was evident that fault messages had been recorded for the No. 2 
engine for up to 12 minutes after the engine failure. 


Figure C9: No. 2 engine EEC data around time of engine failure 


n 
a 
2! 14Nov 01:44:08 
3. 14Nov 01:44:08. 
4 34Nov 02:01:07 ENG x TURBINE OVHT 
5. 34Nov 02:01:07 ENG x TURBINE OVHT 
6 64Nov 02:01:08 ENG x OIL TEMP HI 
7. 64Nov 02:01:08 ENG x OIL TEMP HI 
8 2 4-Nov 02:01:08 ENG x STALL 
9 24Nov 02:01:08 ENG x STALL 
10. 4 4-Nov 02:01:08 EGT Amber Line 31 
ll 4 4-Nov 02:01:08 EGT Amber Line 31 
12 5 4-Nov 02:01:09 ENG x EGT OVER LIMIT 
13. 5 4-Nov 02:01:09 ENG x EGT OVER LIMIT 
14 7 4-Nov 02:01:12 ENG x MINOR FAULT 
15. 8 4-Nov 02:01:12 
16 8 4-Nov 02:03:25 
17. 9NCD 02:03:25 
18. 7 4-Nov 02:03:25 ENG x MINOR FAULT 
19. 9 4-Nov 02:03:27 ENG x SENSOR FAULT 
20.10 4-Nov 02:03:29 ENG x TURBINE OVHT 
1.14 4-Nov 02:03:29 
22 12 NCD 02:03:29 
23 15 4-Nov 02:03:29. 
24 13 NCD 02:03:29 
2% 11 4-Nov 02:03:29 ENG x REV MINOR FAULT (Engine positions 2 & 3) 
26 10 NCD 02:03:29 ENG x REV MINOR FAULT (Engine positions 2 & 3) 
27, 12 4-Nov 02:03:29 ENG x REV MINOR FAULT (Engine positions 2 & 3) 
28 11 NCD 02:03:29 ENG x REV MINOR FAULT (Engine positions 2 & 3) 
29 13 4-Nov 02:03:31 ENG x REV INOP 
M € vil EEC2 CSV AJ 


5 NiTurbine Speed Probe 2 

5 NiTurbine Speed Probe 2 

1 Propulsion System - Turbine Ovht 
1 Propulsion System - Turbine Ovht 
1 Oil System - High Oil Temp 

1 Oil System - High Oil Temp 

1 Propulsion System - Surge 


1 Propulsion System - Surge 

1 Propulsion System - EGT Amber 

1 Propulsion System - EGT Amber 

1 Propulsion System - EGT Over Limit 

1 Propulsion System - EGT Over Limit 

1 EPM 

4 EIPM 

5 TCA 

5 TCA 

1EIPM 

1 P20T20 Probe 

1 Propulsion System - Turbine Ovht 

5 EEC 

5 EEC 

5 EEC 

5 EEC 

1 CH. A Proximity Sensor of Tertiary Lock 
1 CH. A Proximity Sensor of Tertiary Lock 
1 CH. B Proximity Sensor of Tertiary Lock 
1 CH.B Proximity Sensor of Tertiary Lock 
1ETRAC 


2 Detected Failure High FWS 0005000003021C0A2532051903670008156451CD204200000001001 
3 Detected Failure High FWS 0005000003021C0A2532051903670008156461CD204200000001000 
2 Detected Failure High FWS 0001112A474850565C614D192D102F5E156451844042000005010Q 
3 Detected Failure High FWS 0001112A474850565C614D1A2D1D2F5E156461844042000005010( 
2 Detected Failure High FWS 0001112A0F483936635FOF190B672F5E15645182404200006001000, 
3 Detected Failure High FWS 0001112A10483838615F10190A672F5E1564618240420000600100( 
2 Detected Failure High FWS 0001112A264848555622919294E2F5E15645183404214C08000458 
3 Detected Failure High FWS 0001112A264848555622919204E2F5E15646183404206348000451 
2 Detected Failure High CDS 0001112A0E48352F635F0E180B672F5E156451£0404200000701000, 
3 Detected Failure High COS 0001112A0E48352F635F0E1808672F5E156461E0404200000701000] 
2 Detected Failure High FWS 0001112A00483128635F00180A672F5E1564514C404200004701( 
3 Detected Failure High FWS 0001112A00483128635F0D180A672F5E156461AC40420000470100) 
2 Detected Failure Low FWS 0002122A0648251C635F061605672F561564582E20429244010042 
2 Detected Failure High FWS 0003122A06482418625E061705672F561564582F2042FBC2010042E, 
3 Detected Failure High FWS 0005122A01020913281F0214015200111564681D20420000000181t 
2 Detected Failure High FWS 00051228010207133100011500520011FFFF5810203281084007000! 
3 Detected Failure Low FWS 0002122A01020913281F0214015200111564682E20424729010041F. 
3 Detected Failure High FWS 0002122801020A1329100218015200111564683220428E08430000G 
3 Detected Failure High FWS 0001122501020A13291802180052001015646184204200000001 
3 Detected Failure High FWS 0005122A01020913281F0214015200111564684320428A1143008A7 
2 Detected Failure High FWS 00051228010207133100011500520011FFFF584320328A1143008A2 
3 Detected Failure High FWS 0005122401020913281F0214015200111564684420428A1143008A:] 
2 Detected Failure High FWS 0005132C010207133100011701520011FFFF584420328A1143008A2] 
3 Detected Failure High FWS 0002122801020413291002160152001115646C22204284018300840 
2 Detected Failure High FWS 0002132C010207133100014A01520011FFFF5C2220328404830084t 
3 Detected Failure High FWS 0002122801020A13291002160152001115646C2320428404830084(] 
2 Detected Failure High FWS 0002132C010207133100014A01520011FFFF5C23203284048300840] 
3 Detected Failure High FWS 0001122801020413291002160152001115646C31204201000400010 


Image source: Rolls-Royce plc 
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The EMU provided continuous, high-resolution engine data (5 Hz) of about 

100 specific engine parameters. The No. 2 engine EMU data was available for the 
flight duration, until 3.4 seconds after the engine failure. The EEC and EMU data 
accessed by the engine manufacturer was provided to all relevant parties to the 
investigation. 


Use of historical WDAR data 


During the investigation, WDAR data from aircraft's previous flights was requested 
from the operator. This data was used to examine engine parameters during takeoff 
from various airports. Examination of the maximum high pressure (HP) compressor 
delivery pressure (P30) achieved during these takeoffs was used by the Civil 
Aviation Safety Authority (CASA) to determine the limitations for the return to 
service of the operator's other A380 aircraft following the voluntary grounding of 
their fleet. 
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turbine (IP turbine) disc liberation. A summary of data available to the investigation 


engine and aircraft parameters from multiple sources were combined to provide a 
and used is shown in (Figure C10). 


The analysis of data downloaded from the aircraft's mandatory and non-mandatory 
recording devices provided the ATSB with a concise sequence of events. Recorded 
sequence leading up to, and following, the No. 2 engine intermediate-pressure 


Recorded data analysis 
Figure C10: Summary of recorded data 
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Pressure Altitude (feet) 


Sequence of events leading up to and relating to the IP turbine 
disc liberation 


Engine parameters from the various sources of available data" were integrated to 
define a sequence of events leading up to and shortly after the IP turbine disc 
liberation. The CVR audio was not available for this period. 


Table C1 tabulates the graphical representations of the engine parameters shown in 
Figure C11 and Figure C12. 


Table C1: Sequence of events leading up to the No. 2 engine IP turbine disc 


liberation 
utc!” Event Comment 

(hh:mm:ss) 

01:43:24 No. 1 and No. 2 engine starts Aircraft gross weight 464.8 t at 

01:44:36 No. 3 engine starts Singapore. Engine and Warning 

; Display (THR, N1, EGT, thrust 

01:44:39 No. 4 engine starts mode and thrust rating limit) and 

ENG SD Page displayed to flight 
crew (N2, N3, fuel flow, oil quantity, 
oil pressure, oil temperature, N1, 
N2, N3 vibrations and nacelle 
temperature) 

01:55:00 Aircraft commences takeoffon No. 2 Eng. N1**° 79%, flex temp 
runway 20C 59 °C 

01:56:47 Airborne at Changi Airport, No. 2 Eng. Turbofan Power Ratio 

(TPR) 72%. No. 2 Engine Oil 
Pressure 8% lower than average of 
four engines 

No. 2 Eng. N1 78-79% 

01:57:55 System Display page Engine indications displayed to flight 
automatically changes to crew are now Engine and Warning 
cruise page at 1,500 ft.**’ Display (THR, N1, EGT, Thrust 

mode and Thrust Rating Limit) plus 
fuel flow on CRUISE SD page 

01:58:07 - Engine thrust increased No. 2 Engine Turbofan Power Ratio 

01:58:20 (TPR) increased to 90%, No. 2 

Engine N1 86% 
02:00:07 No. 2 engine TCAR ?? starts to TCAR not displayed to flight crew. 


increase 


Indicative of oil feed stub pipe 
breach, passing barometric- 
corrected altitude of 4,980 ft. 
No. 2 Engine N1 87% 


TCAF = 557°°C, TCAR = 480 °C 


124 


125 


126 


127 


Refer to (Figure C7) for sources used from the aircraft. 


Timing from FDR data. 


N1 — Engine low pressure (LP) assembly shaft speed — measured as a % rpm of a reference speed 
(LP reference speed (100%) is 2,900 RPM for an RB211-Trent 972-84 engine. N1 max continued 
97.2% max takeoff (5 minute limit) 97.296. Source: EASA Type-Certificate Data Sheet E.012). 


The Cruise Page includes engine fuel flow information in addition to Engine and Warning Display 


parameters (THR, N1, EGT, Thrust mode and Thrust Rating Limit) 
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125 


UTC Event Comment 
(hh:mm:ss) 
02:00:15 No. 2 engine oil temperature Oil temperature not displayed to 
starts to increase flight crew at this time 
02:00:16 No. 2 engine oil pressure Oil pressure not displayed to flight 
starts to decrease crew at this time 
02:00:22 No. 2 engine oil temperature No. 2 engine oil temperature 
and pressure values begin to increasing from 179 °C 
diverge from the recorded No. 2 engine oil pressure 
values for the other engines decreasing from 68 psi 
Altitude 5,330 ft 
No. 2 engine N1 speed 87.496 
Vibration not displayed to flight crew 
at this time 
02:00:58 No. 2 engine N3 vibration? Altitude 6,620 ft 
increases No. 2 engine N1 87.4% 
No. 2 engine N3P? fluctuation 
02:01:00- No. 2 engine N1 and N2 P! N1 from 87.696 to 86.696, N2 from 
02:01:01 starts to decrease 94.5% to 93.3% 
No. 2 engine N3 starts to N3 from 94.396 to 96.796 
increase TCAF = 572 °C, TCAR = 535 °C 
Rapid increase in No. 2 engine N2, N3 not displayed to flight crew 
TCAR and TCAF commences at this time. TCAF and TCAR not 
displayed to flight crew 
02:01:06 No. 2 engine N3 on limit TCAF = 821 °C, TCAR = 649 °C 
exceedance message N1 at 86.8%, N3 at 97.7% 
02:01:07 No. 2 engine N3 reaches Indicative time of drive arm 


98.4% and starts to decrease separation (turbine disc separation 


No. 2 engine fuel flow from the shaft) 


decreases 
Rapid No. 2 engine N1, N2 
and P30'**decrease 


No. 2 engine TGT rise 


TCAR - Turbine Cooling Air Rear — cooling air temperature measured at the rear of the IPT. 


N3 vibration is the vibration level of the high-pressure (HP) spool (comprising the HP compressor 
and HP turbine). Similarly, N1 vibration is the vibration level of the LP spool (comprising the LP 
compressor and LP turbine). N2 vibration is the vibration level of the IP spool (comprising the IP 
compressor and IP turbine). 


N3 - Engine HP rotor speed — measured as a 96 rpm of a reference speed (HP spool reference 
speed (10096) is 12,200 RPM for an RB211-Trent 972-84 engine). N3 max continued 97.796 max 
takeoff (5 minute limit) 97.896. Source: EASA Type-Certificate Data Sheet E.012). 


N2 - Engine intermediate pressure (IP) rotor speed — measured as a % rpm of a reference speed 
(IP reference speed (10096) is 8,300 RPM for an RB211-Trent 972-84 engine. N2 max continued 
97.8% max takeoff (5 minute limit) 98.7%. Source: EASA Type-Certificate Data Sheet E.012). 


P30 — HP compressor delivery pressure. 
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125 


UTC Event Comment 
(hh:mm:ss) 
02:01:08 No. 2 engine turbine overheat  TCAF = 840 °C, TCAR = 611 °C 
parameter activates and oil 
temp over limit message 
02:01:09 Master Warning and 
Master Caution activate 
No. 2 engine core surge 
exceedance message 
02:01:10 No. 2 engine oil temp over limit 
02:01:11 No. 2 engine N2 to 40% and Indicative of time of turbine disc 
oil pressure starts to drop failure 
Loss of No. 2 engine TGT and Altitude 7,250 ft 
TCAR signal TGT = 1.018 °C 


No. 2 engine P30 surge 


Fault indications commence 
from multiple systems 
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Sequence of engine events following the IP turbine disc 
liberation 


Table C2 tabulates the graphical representation of the engine parameters after the 
disc separation as shown at Figure C13. 


Table C2: No. 2 engine events following the No. 2 engine IP turbine disc 


liberation 
utc! Event Comment 
(hh:mm:ss) 
02:01:17 No. 2 engine flameout CMS only 
exceedance message 
02:01:38 No. 2 engine thrust lever 
reduced to idle 
02:01:51 No. 2 engine low oil quantity ENG SD page called 
02:01:53 No. 2 engine thrust lever 
progressively advanced to half 
range 
02:02:08 P30 rises 
02:02:20 P30 drops Indicative of compressor stall 
02:02:25 Fire warning 
02:02:39 No. 2 engine thrust lever 
retarded to idle position 
02:03:21 No. 2 engine high pressure 


shut-off valve closed 


13 Timing from FDR data. 
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Figure C13: Engine parameters following the IP turbine disc liberation 


In-flight uncontained engine failure, VH-OQA - Airbus A380-842 


04 Nov 2010, Overhead Batam Island, Indonesia 
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Aircraft and system events following the IP turbine disc 


separation 


The IP turbine disc liberation resulted in structural and wiring damage to the 
aircraft. The recorded data provided information about multiple system 


degradations and aircraft performance issues following the disc separation. The 
FDR, DAR, CVR, EMU and CMS data was integrated to compile a sequence of 
events (summarised in Table C3, Figure C14 and Figure C15). Detailed analysis of 
the effects of the damage on the various aircraft systems is provided in the relevant 


sections of the main report and appendices. 
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Table C3: Aircraft system events following the disc separation 
134 


UTC Event Comment/Source 


(hh:mm:ss) 


02:01:11 Fault indications commence Indicative of time of turbine disc 
from multiple systems failure 


including: Altitude 7,250 ft 
Flight controls - Left FDR/ VDAR 
mid-aileron, spoiler No. 4, slats 


Hydraulics - green 
Anti-skid 
Electrical power — AC2 


Bleed air- pylon and wing 
overheat 


02:10:59 Hydraulic pressure green 
decreased. Loss of outboard 
aileron actuator function and 
spoilers 8 and 2 


02:18:05 Aircraft commences left orbits ^ Altitude 7,400 ft^? 
over the ocean north of Bintan 
Island, Indonesia 


03:28:51 Aircraft completes ninth orbit 
and commences descent into 
Singapore 


03:35:08 Flaps extended to Flap 3 
Extension at 1/2 speed 


03:36:39 CVR recording begins during 
descent 


03:37:52 Landing gear down and locked FDR 


03:38:38 PA announcement to secure CVR 
cabin for landing 


03:39:58 Cabin confirmed secure CVR 


03:40:58 Landing checks completed — CVR 
flight crew brief carried out for 
'aircraft abnormal 
configuration' 


03:41:58 Discussion of CVR 
commit/go-around options 


03:45:36 Low energy audible warning CVR and FDR 
(‘speed speed speed’) t° 
during final approach when 
passing 1,000 ft RA? 


03:45:55 AIP off CVR and FDR 


134 Timing from FDR data. 


135 Barometric corrected altitude 


136 Triggered to inform the pilot that the aircraft's energy has become lower than a threshold under 


which, to recover a positive flight path angle through pitch control, thrust must be increased. 


137 Radio altitude - height above terrain. 
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134 


UTC Event Comment/Source 
(hh:mm:ss) 
03:46:17 Low energy audible warning CVR and FDR 
during final approach when 
passing 362 ft RA 
03:46:43 Stall warning at 3 ft RA CVR and FDR 
03:46:47 Touchdown at Changi Airport CVR/ FDR 
on runway 20C 
03:46:48 Max braking CVR 
03:48:35 Feed Tank 2 fuel quantity FDR 
12,640 kg 
03:49:05 No. 3 engine shutdown CVR/ FDR 
03:49:08 No. 4 engine shutdown 
03:49:15 Attempted shutdown of No. 1 
engine 
03:51:01 First radio contact between the CVR 
flight crew and Singapore 
Rescue and Fire-fighting 
Service (AES) P? 
03:53:57 Fuel leak in the left wing CVR 
confirmed by AES 
03:54:34 AES advises flight crew that CVR 
they are covering leaked fuel 
with foam 
03:57:46 FDR and CVR data has some FDR/CVR 
interruptions from this time 
onwards 
04:39:00 Passenger disembarkation CVR 
begins 
05:41:05 All passengers disembarked CVR 
06:01:55 Feed Tank 2 fuel quantity FDR 
10,064 kg 
06:02:44 Last FDR data recorded FDR 
06:02:53 CVR recording ends CVR 


138 The Airport Emergency Services (AES) Singapore was part of the Changi Airport Group 
(Singapore) Pty Ltd (CAG). 
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Figure C15 
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Isolation of power to the CVR 


The CVR automatically records when the A380 is in one of the following 
configurations: 


e in flight with engines running or stopped 
* onthe ground with at least one engine running 


e on the ground during the first 5 minutes following the application of power 
to the aircraft's electrical network 


* onthe ground up to 5 minutes after last engine shutdown. 


To prevent the CVR from recording and therefore overwriting the audio from the 
previous 2 hours, it would be necessary to isolate electrical power to the unit, by 
opening the relevant circuit breakers (located remote from the cockpit). 


Analysis of the sequence of events provided the timing for the CVR key events 
during the occurrence flight as shown in Table C4. 


Table C4: Timing of key events 


Time UTC (hh:mm:ss) | Event 


02:01:07 Uncontained engine failure 

03:36:39 CVR recording began 

03:48:00 Aircraft stopped on runway 

03:49:05-03:49:15 Engines No. 3 and 4 shut down and unsuccessful engine 
No.1 shutdown attempt 

03:57:46 CVR power interruptions of about 22 minutes from this point 

04:39:00 Disembarkation of passengers commenced 

05:41:05 Disembarkation of passengers ended 

06:02:53 CVR recording ends 


For the CVR to have recorded the engine failure (within its 2-hour recording 
duration), it would have needed to have been shut down (power removed) by 
04:01:00 UTC — 13 minutes after the aircraft came to rest on the runway. 


At 04:01:00 UTC, circumstances were such that the aircraft was not yet in a safe 
condition, with the potential remaining for subsequent safety-related events (such as 
the outbreak of fire from leaking fuel). At that time, the No. 1 engine was still 
operating and the passengers were yet to disembark. 


From an investigation perspective, deactivation of the CVR at this time would have 
been inappropriate, considering that any subsequent events would have been 
unrecorded. The ATSB is satisfied that there was no justification for the flight crew 
to prioritise the isolation of the CVR above their activities in continuing to manage 
the emergency response and the safety of the aircraft. 


The earliest reasonable time to have powered-down the CVR was about 04:41 UTC, 
when the risks had been reduced and the disembarkation commenced. This would 
have increased the flight-time recording duration, but there were many other 
sources of in-flight information also available. However, once the aircraft was 
powered-down on the ground, CVR audio was one of the few sources of continuing 
recorded information. Existing flight data has allowed the ATSB to develop a good 
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understanding of the technical issues leading to the engine failure. CVR audio prior 
to and around the time of the engine failure would have been very useful in this 
investigation to examine human factors associated with this event (ECAM, 
workloads and the like). It would also have been able to provide information on the 
event, ECAM sequences and crew workload and resource management, as well as 
provide a correlation with other sources of flight information, allowing the ATSB to 
more quickly develop a full understanding of the engine failure and the flight 
crew’s response. 


CVR audio recorded on the ground was useful in evaluating the emergency 
response by AES, air traffic control, other ground personnel and the crew. 
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APPENDIX D: WING FIRE 


SUMMARY 


On 4 November 2010, an Airbus A380 aircraft, registered VH-OQA, departed from 
Changi Airport Singapore, for Sydney, Australia. Following a normal takeoff, the 
crew reported that while maintaining 250 kt and climbing through 7,000 ft above 
mean sea level, they heard two almost coincident 'loud bangs', followed shortly 
after by indications of the failure of the No. 2 engine. 


A subsequent examination of the aircraft found that the No. 2 engine had sustained 
an uncontained failure of the intermediate pressure (IP) turbine disc. Sections of the 
liberated disc penetrated the left wing and the left wing-to-fuselage fairing, 
resulting in structural and systems damage to the aircraft. 


A passenger reported seeing a fire in the region of, and extending from the left 
upper wing surfaces. Photographs supplied by the witness showed a dark, soot-like 
residue on the upper wing surface behind a large perforation. Photos taken by the 
Australian Transport Safety Bureau (ATSB) during the investigation showed 
similar external residue and a similar residue on the internal upper surfaces of the 
left inner fuel tank (LIT). Testing of the residue from the internal surfaces of the 
LIT characterised it as a carbonaceous material, typical of combustion soot. 


While it appeared that the general conditions within the LIT, in a steady-state 
(static) vapour environment, were outside the flammability range of Jet A-1 fuel, a 
literature review indicated that combustion was possible, due to factors that drove 
conditions in the tank into the dynamic vapour flammability range. 


A number of potential sources of fuel vapour ignition were explored, but the 
passage of the hot IP turbine disc fragment through the tank was considered the 
most likely. 


The ATSB found that the impact and passage of the large disc fragment through the 
wing tank likely created fuel agitation and misting in the tank vapour space (ullage), 
dynamically raising the vapour concentration. That effect, combined with the 
fragment surface temperatures (significantly hotter than the auto-ignition and 
hot-surface ignition temperatures of Jet A-1 fuel) led directly to the ignition event. 
Friction between the liberated fragment and the tank skin was also likely to have 
provided an additional localised heat source. There was no evidence of sustained 
excessive temperatures (fuel tank deformation or heat distress), which indicated the 
fire had likely been a short, unsustained event. 


There were a number of possible reasons why the left inner tank fire was not 
sustained: 


e The flash fire initially consumed the oxygen inside the tank; reducing the 
oxygen concentration level to below the threshold required for sustained 
combustion of Jet A-1. 


e The general temperature rise associated with the initial combustion was low 
and insufficient to increase the temperature of the fuel inside the tank to at 
least the lower flammability limit of Jet A-1. Quenching of the flame by the 
cool fuel tank walls (evident from the sooting) and the entry of cooling air 
through the tank perforations may have promoted this. 
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FACTUAL INFORMATION 


Witness reports 


Immediately following the engine failure, a passenger who had been seated on the 
upper left deck of the aircraft reported seeing a fire burning on the wing. The 
passenger reported hearing two bangs approximately 5 minutes after takeoff. 
Subsequent to this, the passenger observed a ‘couple of holes’ in the upper surface 
of the left wing with a fire burning immediately out of one of the holes (Figure D1) 
The witness described the fire as extending straight up to a height that was about 
the same height as the diameter of the hole in the wing and was above the wing for 
5 to 6 minutes. Although it had reduced in severity after this, the passenger 
mentioned that it remained visible for approximately 10 minutes. The witness 
described the fire as bright yellow in colour and intermittent; ‘at times it was gone 
for a few seconds and then it came back’. During the ATSB interviews, the flight 
crew did not make mention of a fire in the left wing. Subsequently, the flight crew 
reported that, during the flight, they were not aware of such a fire. 


Figure D1: View from the window on the upper deck, left side showing the 
presence of smoke/dark residue on the aft side of the hole 
(arrowed) 


Image supplied by a passenger 


Photographs supplied by the witness, those taken after the aircraft had landed and 
visual confirmation by the ATSB all showed the presence of smoke/dark residue on 
the aft side of the hole in the upper wing skin (Figure D1 and Figure D4). 


A review of the damage observable from the passenger's seat on the upper deck 
indicated that the engine mechanicals and structure could be seen through the 
arrowed hole in Figure D1. 
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A380 wing tank detail 


The A380 wing fuel tanks are integral to the aircraft's wing structure (Figure D2). 
The LIT is an L-shaped chamber and is located close to the fuselage. The tank is 
bound by wing ribs 1and 13 behind the centre spar, and ribs 8 and 13 in front of the 
centre spar (Figure D3). The inner tanks are capable of holding a total fuel weight 
of 36,220 kg (79,850 Ib). Information recorded on the flight data recorder (FDR) 
showed that at the time of the engine failure, the LIT was approximately 1/4 full, 
holding approximately 4,300 kg (9,480 Ib) of fuel. The FDR data showed that the 
weight of the fuel in the LIT remained constant during the period following the 
failure of the IP turbine disc. 


Figure D2: Fuel tanks onboard the A380 
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Image courtesy Airbus training manual, Level 1, ATA 28 


Damage to the left inner tank 


The LIT structure was considerably damaged by debris from the No 2 engine 
failure. The damage resulted when a large segment of the liberated IP turbine disc 
struck the wing bottom skin and passed through the front spar and LIT structure, 
before exiting through the wing upper skin. As a result of the disc's trajectory, the 
most significant damage to the LIT occurred to the front spar between ribs 9 and 10, 
and the upper wing skin in the region of rib 9 (Figure D3 to Figure D5). 

Table D1 provides the dimensions of the through-penetrations that were identified 
in the LIT. 


Table D1: Summary of damage in the left inner tank 


Location Dimensions (mm) 
Front spar, Rib 9 — 10 350 x 350 

Front spar, Rib 9 — 10 82x20 

Front spar, Rib 10 — 11 150 x 250 
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Front spar, Rib 12 — 13 80 x 50 
Wing bottom skin, Rib 10 — 11, Stringer 6 140 x 110 


Wing upper skin, Rib 9 -10, Front spar — stringer 1 — 460 x 120 


Figure D3: Schematic of the LIT (green) and feed tank 2 (blue), showing the 
location of the major front spar and top skin damage 


Ribs 13 


Front 
spar 


Image modified from an Airbus-supplied model. 


Dark coloured residue 


During the aircraft damage assessment, a dark coloured residue was identified on 
some surfaces within the LIT. Minor discolouration was also observed on the 
fractured surfaces of the large hole in the upper wing skin and on the painted 
surface of the skin towards the rearward side of the disc exit hole (Figure D4). 


Figure D4: Major damage on the LIT upper wing skin 
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An examination of the internal surfaces of the LIT showed the residue to be 
principally located on the upper regions of the front spar (above the large hole), and 
along the underside of the top skin on the surfaces of the stringers (Figure D5 and 
Figure D6). The residue was also observed within the vent pipe shown in 

Figure D6. No evidence of dark residue was observed on either the wing underside, 
or on the front droop-nose structure. 


Figure D5: Damage and residue on the front spar (viewed forward from inside 
the LIT) 


Sample locations mole in upper wing skin 
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FQIS wiring 


Residue swab samples were taken from a number of locations within the LIT for 
further characterisation Figure D5. The painted surfaces immediately underneath 
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the residue did not exhibit any damage, discolouration or blistering. Airbus advised 
that the paint used within the LIT had undergone testing at between 100 °C and 
180 *C with limited colour change noted. 


Analysis of dark residue/debris 


The samples from within the LIT were forwarded to the Australian Federal Police 
Chemical Criminalistics laboratory in Canberra for examination. In order to 
establish the composition of the dark residue, the samples were analysed using a 
number of techniques, including: microscopic examination, Raman spectroscopy, 
scanning electron microscopy, energy dispersive x-ray spectrometry and gas 
chromatography-mass spectrometry. The main findings of that analysis were that 
the: 


* darkresidue was amorphous carbon, or soot 
e soot was heavily enriched with fine (spherical) particles of aluminium 


* darkresidue did not contain heavy petroleum distillate hydrocarbons, such 
as engine oil 


e dark residue was not bacterial in nature. 


Examination of wiring 


The severed and damaged wires in the areas surrounding the perforations in the LIT 
presented a potential ignition source for the fire that developed within the tank. As 
such, the wiring looms and cables were removed from the area surrounding the 
main damage sites in the left wing structure and forwarded to the ATSB's Canberra 
facilities for further examination. The examined wiring originated from the: 


e fuel quantity indicator system (FQIS) 

e No.1 engine variable frequency generator (VFG) feeder cable 
e No.2 engine VFG feeder cable 

* wiring loom harnesses 1M, 1S, 2M, 2S and 2P. 


The results of those examinations are described in the following sections. 


Fuel Quantity Indicator System 


The FQIS wiring was the only wiring located inside the LIT (shown in Figure D6 
and Figure D7). 
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Figure D7: Location of the FQIS wiring within the LIT (green) 


Rib 8 


Image: Modified from A380 Aircraft Maintenance Manual 


The section of FQIS wiring supplied was a y-shaped piece, approximately 1.2 m 
long, which had been severed during the engine failure. A small area of additional 
damage was observed towards the end of one of the sections. A visual inspection of 
the exposed wires showed severe mechanical damage; many of the conductors 
exhibited significant deformation as a result of contact with the liberated engine 
debris. The inspection identified a number of ‘cup and cone’ and angular shear 
fractures, all consistent with tensile overstress failure (Figure D8). No evidence of 
any discolouration or arcing was observed on the fractured ends of the wires, and 
the plastic coating did not exhibit any discolouration, burning or charring. 


Figure D8: Magnified view of the severed end of the FQIS wiring 
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Variable Frequency Generator feeder cables 


The VFG feeder cables for the No. 1 (VFG1) and No. 2 (VFG2) engines were 
located in the bay forward of the front spar (Figure D9). The VFG1 and 

VFG2 feeders had been severed at the left wing leading edge. An examination by 
Airbus reported that there was no visible trace of arcing, short circuit or overheats 
on any cable. 


Following removal from the aircraft, sections of both feeder cables were sent to the 
ATSB’s Canberra facilities for further examination. The VFG1 cable section had 
been completely severed, while the section of VFG2 cable had some remaining 
wires intact. 


Figure D9: Location of VFG1 and 2 feeder cables along the wing front spar 


DRIVE RIB 2 


FRONT SPAR 


Image: Modified from A380 Aircraft Maintenance Manual 


The severed wires exhibited deformation and markings consistent with the 
mechanical damage that was observed on the FQIS wiring. The fractured strands 
exhibited *cup and cone' features that were indicative of an overstress failure 
(Figure D10). 


Figure D10: Magnified view of the severed end of VFG2 wiring 
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A small discoloured spot was identified on one of the VFG2 cables supplied 
(Figure D11). While the source of the discolouration was not identified, there did 
not appear to be any associated melting that would indicate that it was a result of 
arcing. 


Figure D11: VFG2 cable showing small area of discolouration 


Wiring harnesses 


The following VFG monitoring harnesses were provided to the ATSB for 
examination: "° 


* Harness 1M 3001 VB 

e Harness 1S 3013 VB 

* Harness 2M 3007 VB 

* Harness 2S 3019 VB 

* Harness 1P — 3031VB, 3033VB, 3035VB and 3025VB 


The sections of harness comprised of a number of smaller wires encased in an outer 
sheath. Damage to the harnesses varied from complete separation to minor damage 
to the outer sheath and a small number of wires (Figure D12 and Figure D13). 


139 The harnesses were a set of electrical wires identified by four digits and the letters VB. The first 
two identifiers denoted the harness route, where the number designates the system and the latter 
the route category. For example, ‘M’ meant miscellaneous and route ‘P’ included power lines. 
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Figure D12: Overview of severed harnesses in-situ, located in the left wing 
leading edge (also showing the front spar, looking rearward) 


All of the exposed severed wires were examined, with no evidence of any arcing 
noted. The fractured ends of the wires were consistent with overstress failures as a 
result of localised mechanical impact. 
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Fuel tank flammability 


A review of the current literature on aircraft fuel tank fires was conducted to 
ascertain the conditions under which combustion can occur within an aircraft fuel 
tank. A further study was undertaken to look at the factors that might limit the 
sustainability of any such fire, and conversely, what factors might support the 
continuation (and possible growth) of a fire under similar conditions. 


A discussion on the recent activity by the various worldwide aviation safety and 
regulatory groups to minimise the inherent risk of fuel tank susceptibility to fire is 
also included below. 


Combustion theory 


Fire is a complex process controlled by chemical and physical factors. Fire is 
initiated by achieving an appropriate heat balance," and can only be maintained if 
the associated chemical reactions can sustain themselves. 


The fire triangle concept states that three components - fuel, an ignition source, and 
an oxidiser - must be simultaneously present for a fire to occur. To begin with, the 
fuel and oxygen (the oxidiser) are required to be present in flammable proportions. 
Heat is then added locally (the ignition source) until a large enough population of 
free radicals (unstable chemical species) is developed to ignite the mixture. The 
temperature must be high enough to provide the energy required to break chemical 
bonds in fuel molecules and enable various reactions to occur. The chemical 
reaction is then propagated until an equilibrium flame temperature is reached. 
Usually, this process is vigorous enough for thermal radiation to be released at a 
visible wavelength — thus the appearance of a flame. 


Combustion of pre-mixed fuel vapours is subsonic in speed and called a 
deflagration. The deflagration can be ignited by an external source or self (auto) 
ignition. External ignition sources can be flames, sparks or hot surfaces. The flame 
itself can be a diffusion flame (laminar, for example a candle, or turbulent, as in the 
case of most fires) or pre-mixed (laminar, for example a Bunsen burner, or 
turbulent, such as in an internal combustion engine or a fuel vapour fire inside a 
fuel tank). 


Deflagration events can also be transient (flash) or sustained (fire). This will be 
determined by a number of factors, but essentially stems from the heat generation 
rate compared with the heat loss rate and the production rate of radicals compared 
with their termination rate. 


The factors that influence whether combustion occurs and how long it will last 
include the proximity of the fuel to an oxidiser, any ventilation, and the temperature 
and pressure. For hydrocarbon fuels, the principal chemical reaction occurs through 
gas-phase radical formation, whereby thorough mixing is required between the fuel 
and the oxidiser in the gaseous phase. In this context, ventilation is important, as the 
gas ingredients (fuel and oxygen) must be incorporated (if not pre-mixed). It 
follows that any physical confinement will hinder gas travel (and hence fuel/oxygen 


1^ Heat balance is the establishment of a condition of thermal equilibrium in a space, where the heat 
gains equal the heat losses. 


1! BlazeTech, Aircraft fire and explosion in accidents, combat, and terrorist attack: Course notes, 
Nov 2011. 
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mixing), while too much ventilation can lead to cooling or vapour dilution 
sufficient to extinguish a flame. 


Temperature is important as it controls the vapour pressure and initial vapour 
flammability. The temperature must be high enough to initiate a reaction, and must 
remain so to continue the process. Pressure also affects the flammability limits, with 
increasing pressure widening the temperature range at which combustion will 

occur. 


A transition from deflagration to detonation (supersonic) combustion can occur in 
gaseous mixtures due to flame acceleration by mechanisms such as precompression 
of the gasses ahead of the flame, turbulence generation from obstacles and solid 
boundaries, and flow speed increases at physical constrictions along the flame path. 


Properties of aviation fuels 


The aircraft’s fuel tanks were filled with Jet A-1 fuel, which is a kerosene fuel that 
has essentially the same specification limits as Jet A fuel. The only property that 
differs between the two fuel types is that Jet A-1 has a lower maximum freezing 
point of -47 °C. International fuel standards” specify a number of properties, 
including distillation temperature, flash point temperature and net heat of 
combustion. Jet A-1 has a specified boiling range of 149 to 290 °C, a flash point 
minimum of 37.8 °C (100 °F) and an auto-ignition temperature in the range of 
200 to 260 °C.” 


The Jet A-1 properties of relevance for fire predictions (such as flammability limits, 
ignition energy, electrostatic charging tendency, auto-ignition temperature and rate 
of fire spread) are not included in the fuel specifications and are not generally 
measured during fuel inspection. "^^ 


The flash point of a fuel is described as the minimum liquid temperature giving 
sufficient vapour to form a flammable vapour-air mixture at the liquid/air interface. 
The mixture will ignite when subjected to a small flame, but the fire may not 
sustain and will therefore ‘flash’ and then self-extinguish. The CRC Handbook of 
aviation fuel properties gives the average flash point of Jet A-1 as 42.2 ?C, but 
different methods used to determine the flash point do not always give equivalent 
results. 


In general, the flash point is useful for qualitative ranking of fuels. However, it has 
been shown that liquid fuels present in tanks and pools will propagate flames at 
temperatures below the established flash point. ^^ 


Another relevant property of a fuel is known as the fire point. This determines the 
temperature at which a flame will be sustained after the ignition source is removed. 


1? There are three major specifications in civil use worldwide, ATSB D1655, the British Def Stan 


91-91 and the Russian specification GOST 10227. 
143 Coordinating Research Council report No. 635, “Handbook of Aviation Fuel Properties”, 2004 


Third Edition. 


144 Fuel flammability task group, DOT/FAA/AR-98/26, A Review of the Flammability Hazard of Jet 
A Fuel Vapor in Civil Transport Aircraft Fuel Tanks, Federal Aviation Administration, June 1998. 


145 Ibid. 
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Fire points are generally higher than flash points by about 4 to 5 °C for most 
hydrocarbon fuels. 


The vapour pressure of a fuel is the pressure of a vapour in equilibrium with the 
liquid and is temperature dependant. If the vapour pressure at a particular 
temperature and the volume of space is known, calculations can predict the amount 
of fuel existing in the vapour. The Reid Vapour Pressure is a common measure of 
the volatility of a fuel and is defined as the vapour pressure exerted by a liquid at 
100 ?F (37.8 ?C). This test method results in an extremely low value for 

Jet A/A-1 (less than 1 psi/6.9 kPa), with the effect that, for low volatility fuels such 
as Jet A/A-1, the results are of limited application for predicting flammability. 


Flammability envelope 


The standard flammability envelopes shown in Figure D14 were derived from 
various literature sources and contain a number of assumptions, including a static 
(unmoving) tank, a well-mixed ullage'"^ and thermodynamic equilibrium with the 
atmosphere. The graph indicates that Jet A is mainly non-flammable, with a small 
exception in tropical atmospheres at low altitude. 


Figure D14: Typical flammability limits for common aviation fuels 
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It should be noted that the static flammability envelope has not been used as a tool 
in fuel tank design or flight operations. That is, designers have always assumed a 
flammable vapour can exist in fuel tanks, and accordingly, have adopted standards 
to preclude ignition sources from within such tanks. “” 


Importantly however, flammability limits can be extended, and the tank ullage can 
become flammable under the influence of a number of variables. These variables 
can include fuel properties, fuel tank design, and the amount of fuel in the tank, as 
well as external factors such as heat transfer from surrounding equipment. 


"6 Ullage is the volume, or free space, above the liquid level in a tank. 


147 Thid. 
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It is well documented within the literature that dynamic processes (conditions of 
movement or agitation) can significantly broaden the flammability envelope over 
that present in the static case (Figure D15). The rich limit” will remain unchanged 
in such cases, as the dynamic processes will add fuel to an already rich condition. 
One of the most important of these processes is the formation of a mist of fuel 
droplets inside the tank due to fuel ‘sloshing’ under normal aircraft vibration and 
motion. The understanding of these dynamic effects is qualitative in nature, due to 
the inherent broad variability of conditions that are describable as being ‘dynamic’. 


Figure D15: Dynamic versus static flammability envelope 
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Image: Courtesy of Coordinating Research Council report No. 635, Handbook of Aviation 
Fuel Properties, 2004 Third Edition 
Conditions within the aircraft's LIT 


At the time of the engine failure, the aircraft was at an altitude of approximately 
7,000 ft (2,100 m). The aircraft's flight data recorder provided information on the 
temperature within the fuel tanks at that time (Table D2). 


Table D2: Conditions at the time of the occurrence 


Location Temperature (°C) 
Feeder tank 2 (fuel) 26.5 

Left outer (fuel) 29.7 

Outside air temperature (OAT) 15 


The temperature on the ground at the time of departure was 27.5 ?C. 


The three temperatures (feeder tank 2, left outer and OAT) are shown on 
Figure D15 with red dots. While the conditions represented by these data points 


148 The rich limit is the upper flammability limit and is the highest concentration of a combustible gas 
that will produce a flash of fire in the presence of an ignition source. 
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were located below the static flammability lower limit, under dynamic conditions, 
the vapour mixture may fall within the broader flammability limits. If the agitated 
fuel droplets were subsequently vaporised by the passage of a fragment of hot 
debris through the fuel tank, the fuel vapour pressure in the ullage may have been 
further raised. 


Potential ignition sources inside fuel tanks 


A review of potential ignition sources within, and around the LIT was undertaken to 
establish whether these sources may have contributed to the fire event. Research 
has shown that potential ignition sources could include pumps, an electrical source 
(wiring malfunction, electrostatic discharge, fuel indicator system), lightning and 
fragment impact. 


Hot surface ignition 


A review of the current literature indicated that while in-tank fires can be produced 
by engine debris, their expected probability of occurrence is very low. It has been 
shown however that, in the presence of mechanical agitation (either by aircraft or 
fragment motion), the composition of the fuel/air mixture and the fuel temperatures 
may be sufficient to allow a fire to ignite, in the event of a fragment entering the 
tank ullage. 


The favourable conditions for the ignition of a combustion process by a hot 
fragment depend on the fuel/air mixture, temperature of the fragment and the 
duration of exposure to the hot fragment. There is no unique threshold temperature 
for hot-surface ignition, as it will be influenced by numerous factors, such as 
surface geometry (concave or convex), whether in a closed or open environment, 
local air velocities and residence time. ^? 


Moussa et al? provided an analysis of the convective heat transfer from a fragment 


to the ullage gases in order to determine the temperature of the fragment and its 
surrounding vapour film as a function of time. Their research showed that at sea 
level, fragment temperatures greater than 712 ?C can raise the air/fuel film 
temperature sufficiently for ignition to occur (that is, above the auto-ignition 
temperature). As such, debris from the engine exterior or casing would be unlikely 
to cause ignition, as it generally does not reach such temperatures during operation. 
However, internal engine components (turbine blades, discs) frequently operate at 
temperatures exceeding this value, and thus present as a viable ignition source 
should they enter the tank ullage. 


Information supplied by the engine manufacturer estimated that the IP turbine disc 
drive arm reached temperatures of between 1,125 and 1,290 ?C. While the bulk of 
the disc may not have reached these temperatures, and the liberated sections would 
have begun to cool immediately following ejection, those estimated temperatures 
are well above the limits required for hot surface ignition. Additionally, the research 


19 Fuel flammability task group, DOT/FAA/AR-98/26, A review of the flammability hazard of Jet A 
fuel vapor in civil transport aircraft fuel tanks, Federal Aviation Administration, June 1998. 


150 NA Moussa, MD Whale, DE Groszmann & XJ Zhang, DOT/FAA/AR-96/95, The potential for 
fuel tank fire and hydrodynamic ram from uncontained engine debris, Federal Aviation 
Administration, January 1997. 
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also suggested that the frictional effects associated with the passage of debris can 
generate high localised temperatures and increase the probability of ignition. 


As previously discussed, for fuel vapour to ignite it must not only be at an 
appropriate temperature, but there must also be a specific mixture of fuel and air. 
Under the dynamic conditions associated with debris passage, the concentration of 
the fuel in the vapour near the fragment is higher due to the localised evaporation of 
the droplets by the hot fragment. 


Whether the fuel tank becomes explosive following ignition is dependent upon the 
amount of fuel and air ready for immediate combustion, as well as the penetration 
hole size. An increased perforation area will result in a reduced pressure rise and 
can allow more air/oxygen to enter the tank. 


The location at which the fragment enters the tank is also likely to affect whether 
ignition will occur when the temperature is within the flammability limits. Although 
not definitive, the research has shown that if the fragment enters the ullage while 
the vapour is within the flammable range, it is likely that ignition will occur. 
Conversely, if the fragment enters the ullage after passage through the liquid fuel, 
there is a potential for ignition. However, one source believed that the probability 
would be less than when the ullage was entered directly. Lastly, the research 
showed that should the fragment enter the liquid fuel only, ignition would be 
unlikely to occur. ^ 


Electrical/Spark 


A review of the literature indicated that information and contemporary 
understanding of spark ignition is incomplete. Some studies have shown that 
conservatively, 0.25 mJ of electrical energy is all that is needed to ignite a typical 
flammable mixture. The minimum ignition energy (MIE) is dependent on a number 
of variables and has been shown to be at a minimum when the fuel/air mixture is 
slightly rich, and higher at increased altitudes due to the decreased oxygen levels. 


Examination of the wiring as discussed previously did not show any signs of arcing 
or overheating associated with electrical currents or short-circuiting. 


Ignition prevention on the A380 


Airbus advised that a number of design precautions had been taken to minimise the 
risk of ignition in the A380. The following is a select list of those precautions: 


Wiring 
e The materials used and the large number of fasteners on the attachment of 
the metallic structure for the wing and trim tanks ensure that the fuel tank 


structures are electrically bonded. Additionally, the aircraft's composite 
ribs are bonded by metallic strips attached to the non-metallic structure. 


e Components and equipment located in the aircraft’s fuel tanks have 
specified bonding procedures and bonding points to help prevent the build- 


55! NA Moussa, MD Whale, DE Groszmann & XJ Zhang, DOT/FAA/AR-96/95, The potential for 
fuel tank fire and hydrodynamic ram from uncontained engine debris, Federal Aviation 
Administration, January 1997. 
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Pumps 


up of static electricity in the structure, and to provide lightning strike 
protection. 


All metallic structures in the wing, trim tank and centre wing box have a 
layer of anti-corrosion epoxy primer to protect the main structure against an 
electrical short between the electrical harnesses and the structure. 


All of the fuel system wiring is insulated to protect against short circuits to 
other wiring and structure. 


The only wiring in any of the fuel tanks is for the fuel sensing and 
monitoring systems, which transmit very low energy. 


Each pump within the fuel tanks has a pump element, which has an electric 
motor and is contained in a canister. The element is electrically bonded to 
the canister. Electrical connections to all pumps are made outside the fuel 
tank. The moving parts inside the pump are normally kept immersed in fuel 
so they cannot cause a spark during fault conditions. 


The pumps also have an electronic controller that supplies and controls the 
electrical voltage to the motor. The controller is kept cool by fuel and 
contains a thermal cut-out fuse for each phase of the electrical power 


supply. 
A ground fault interrupter contactor is installed between the power supply 


busbars and all fuel pumps. This is to remove the power supply to a pump if 
an intermittent short circuit is made to the structure. 


All the motor-operated valves are installed in the fuel tanks and are dual 
bonded. All the related actuators are installed outside the tank wall. 


The fuel pump pressure switches are installed on the front and rear spars 
and are separated from the fuel by a diaphragm. The electrical connectors 
are fully sealed to give protection from explosion. 


Heat sources 


The wing leading edges contain hot air-ducting pipes from the engines to 
the bleed air and anti-icing systems. These pipes are insulated and remote 
from the tank boundary. A leak/overheat detection system is installed to 
sense if a hot air leak occurs near to the tank wall. 


A leak/overheat detection system is installed for the auxiliary power unit 
(APU) hot air ducting in the tail and fuselage areas. 


Heat-insulating blankets are installed on the front spar of the wing between 
Rib 1 and Rib 3 to give protection from the heat generated by the air 
generation unit located in the inner leading edge. A leak/overheat detection 
system is installed to sense if a hot air leak occurs in this area. 
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Fuel leaks 


e Where leaks occur, fuel from the wing and trim tanks will go to the 
leading/trailing edge or the outside. If fuel overflows from a NACA 
intake on the wings, it is directed downwards and away from the engines 
(heat source) by a fuel leak drip strip that is located inboard of the NACA 
intakes. 
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e The equipment installed in the wing leading and trailing edges has 
explosion protection and is insulated from any fuel leakage. 


e The APU feed pipe and trim tank transfer pipe (in the rear fuselage) are 
both shrouded. If there is a fuel leak from the inner pipes, it is drained 
overboard through the drain mast. 


e The trim tank external surface between Rib 4 left and Rib 4 right, which is 
inside the rear unpressurized fuselage, is painted with a protective layer of 
barrier paint. This barrier paint protects against fuel leaks (both vapour and 
liquid) and is resistant to deterioration from long-term contact with fuel 
and/or hydraulic fluid. 


Fuel tank flammability minimisation — regulatory history 


Efforts to reduce fuel tank flammability have been directly related to areas of the 
fire pyramid. Over time, regulatory bodies have looked at the fuel, heat (and 
ignition) sources and the fuel/oxygen ratio. 


One of the first attempts to reduce fuel tank flammability, as early as the 1950s, was 
to promote the use of Jet A fuel over Jet B, due to the lower volatility of Jet A. The 
use of Jet B was subsequently prohibited by the Australian Department of Civil 
Aviation, and its use is now generally confined to locations where lower air 
temperatures require the use of higher flash point fuels. ^? 


Focus then shifted to identifying potential ignition sources and removing them from 
fuel tanks. The MIE for hydrocarbon vapours was thought to be about 0.25mJ and 
thus the electrical energy applied to any component in the fuel tank has been limited 
to a value that is 10 times lower than this. 


Special Federal Aviation Regulation 88 (SFAR 88) was released in 2001. The main 
goal of SFAR 88 was to preclude ignition sources from fuel tanks, and the safety 
assessments carried out during the implementation of the rule revealed some 
unexpected ignition sources. Further assessments and service difficulty reports 
following the implementation of SFAR 88 showed that ignition sources continued 
to be identified, with over 20 airworthiness directives subsequently released. 


1? National Advisory Committee for Aeronautics. The NACA duct is located near the wingtip. As an 
air inlet, the duct ensures that the differential pressure between the interior of the fuel tanks and 
the outside atmospheric pressure is kept to a minimum. As a fuel vent system outlet, the duct is 
sized to permit fuel flow overboard in the event of an automatic refuel failure. 


153 Fuel flammability task group, DOT/FAA/AR-98/26, A review of the flammability hazard of Jet A 
fuel vapor in civil transport aircraft fuel tanks, Federal Aviation Administration, June 1998. 
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In 1998, a review by the Aviation Rulemaking Advisory Committee (ARAC) of 
fuel tank ignition events "^ showed that there had been 16 such instances, including 
eight wing tank and eight centre or fuselage tank events. Five of the eight wing tank 
events involved the use of Jet B/JP-4 fuel, while all the centre tank events involved 
the use of Jet A/A-1 fuel. Additionally, the ignition source was known in all the 
wing tank events, with no known wing tank explosions resulting from internal 
ignition sources. Historically, most commercial jets utilise integral wing tanks, with 
only some employing centre/fuselage tanks. As such, experience with the 
performance of wing fuel tanks is somewhat greater than that relating to centre or 
fuselage-based tanks. 


In summary, conclusions drawn from the fuel tank fire data examined were: 


e In general, unheated aluminium wing tanks fuelled with Jet A have 
exhibited an acceptable service history. 


* A wingtank fuelled with JP-4 had approximately the same flammability 
exposure as an empty heated centre tank with Jet A; these two cases have 
not had an acceptable service history. 


Fuel tank flammability minimisation — recent regulatory activity 


Comparatively recent events involving aircraft fuel tank fires (after the introduction 
of SFAR 88) have lead the US Federal Aviation Administration (FAA) to move 
towards the implementation of another layer of protection. As such, the most recent 
work has begun to focus on the flammability of the fuel/air mixture within the tank 
ullage. 


As shown previously, Jet A/A-1 vapours are considered too lean to be flammable at 
sea level. However, research has shown that at certain times and under certain 
conditions in the flight cycle, the fuel/air mixture may become flammable. The 
most recent efforts have been to reduce the flammability exposure level to an 
acceptable level, either through the inherent design of the tank, or by implementing 
flammability reduction means (FRM). 


FAR 26.33 (effective as of 7 February 2009) stipulated that type certificate holders 
must perform a flammability exposure analysis of all tanks, except for those 
meeting the definition of a conventional, unheated aluminium wing tank. The fleet 
average flammability exposure of fuel tanks that were designed to be normally 
emptied, and where any portion was within the fuselage contour, could not exceed 
396 of the flammability exposure evaluation time (FEET)? during the ground, 
takeoff or climb phases of flight on a warm day. "^ For all other fuel tanks, the fleet 
average flammability exposure could not exceed 796. 


Airbus advised a flammability analysis for the A380 fuel tanks was prepared and 
submitted to the FAA to show compliance with FAR 26.33. That analysis 


14 Aviation Rulemaking Advisory Committee (ARAC), Service History/Fuel Tank Safety Level 
Assessment, Task Group 1, July 1998. 


1 Flammability exposure evaluation time is the time from the start of preparing the aeroplane for 
flight, through the flight and landing, until all payload is unloaded, and all passengers and crew 
have disembarked. 


156 Federal Aviation Administration, Part 26 Continued Airworthiness and safety improvements for 
transport category airplanes, Subpart D — Fuel tank flammability, Section 26.33, effective 7/2/09. 
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concluded that the wing and trim tanks were a low flammability risk (below 796 
flammability exposure). As there is no centre wing tank on the A380 aircraft, there 
was no requirement to develop a flammability reduction system for any of the fuel 
tanks under the current airworthiness requirements. 


ANALYSIS 


Left inner tank fire 


The witness report/photographs and subsequent testing of surface deposits indicated 
that a fire occurred within the left inner fuel tank (LIT) moments after a liberated 
fragment of the intermediate pressure (IP) turbine disc perforated the left wing. The 
recorded data showed no evidence of fuel loss from the LIT and it was believed that 
the disc fragment had passed through the ullage space only. 


The steady-state conditions within the LIT at the time of the disc failure appeared to 
be outside the flammability range of Jet A-1 fuel. However, a literature review 
indicated that ignition was still possible, due to factors such as fuel sloshing, 
vibration and impact agitation that may have pushed conditions in the tank into the 
dynamic flammability envelope. 


A number of potential sources of ignition were explored. However, the hot IP 
turbine disc fragment was considered the most likely, due to the proximate location 
of the soot around the tank perforations and the temperatures required to initiate 
combustion in Jet A-1 fuel. Friction between the liberated fragment and the tank 
skin could also have provided an additional, localised heat source. Despite the 
presence of severed feeder cables and electrical wiring looms that were located 
around the LIT, there was no evidence of arcing or electrical discharge that might 
have otherwise provided an ignition source. 


It is likely that the fuel mist in the ullage as a result of sloshing and impact was 
ignited by a large disc fragment as it passed through the fuel tank, particularly as 
the fragment was significantly hotter than the auto-ignition and hot surface ignition 
temperatures calculated for Jet A-1 fuel. 


Why the fire did not sustain 


While the duration of the fire was not able to be ascertained with any level of 
confidence, the absence of thermal damage to the wing structure, external surfaces, 
or the tank's internal painted surfaces suggested that the associated temperature rise 
was relatively low — consistent with a short-lived combustion event. While the 
witness reported the presence of a fire for approximately 10 minutes duration, it 
was possible that the observation was actually a fire within the engine structure 
itself, as the rear of the engine was directly visible from the passenger's seat, 
through the holes in the wing. 


There were a number of possible reasons why the LIT fire was not sustained, 
including: 


e The fire consumed the oxygen inside the tank — reducing it to a level below 
that required for the combustion of Jet A-1. 
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The temperature rise associated with the initial combustion was low and 
therefore insufficient to increase the temperature of the fuel in the tank to 
the lower static flammability limit of Jet A-1. Quenching of the flame by 
the fuel tank walls (as evidenced by the associated sooting) and the entry of 
cooling air through the tank perforations may have contributed in this 
regard. 


Conditions settled and became more static within the tank after the 
fragment's passage, narrowing the vapour flammability envelope and 
limiting the potential for continued combustion. 


The damage sustained by the tank restricted any significant internal 
pressure rise that may have promoted accelerated combustion. 
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Submissions 


Under Part 4, Division 2 (Investigation Reports), Section 26 of the Transport Safety 
Investigation Act 2003 (the Act), the Australian Transport Safety Bureau (ATSB) 
may provide a draft report, on a confidential basis, to any person whom the ATSB 
considers appropriate. Section 26 (1) (a) of the Act allows a person receiving a draft 
report to make submissions to the ATSB about the draft report. 


A draft of this report was provided to Qantas Airways Ltd, flight and cabin crew, 
Airbus SAS, Rolls-Royce plc, relevant manufacturing personnel from 
Rolls-Royce plc, CASA, Indonesian NTSC, AAIB of Singapore, UK AAIB, UK 
CAA, BEA and EASA. 


Submissions were received from all of those parties. The submissions were 
reviewed and where considered appropriate, the text of the report was amended 
accordingly. 
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